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Chapter  1 


Introduction 


1.1  Purpose 


The  purpose  of  this  document  is  to  describe  in  detail  how  security  proper¬ 
ties  are  related  to  secure  electronic  mail  message  formats  and  operations. 
We  show  how  system-level  security  properties  are  satisfied  by  functional 
specifications  of  operations  on  specific  message  formats. 

Our  formal  analysis  is  based  on  the  Internet  Privacy  Enhanced  Mail 
(PEM)  described  in  four  Request  for  Comment  (RFC)  papers;  RFC  1421, 
RFC  1422,  RFC  1423,  and  RFC  1424,  [9,  8,  1,  7],  PEM  is  similar  to  mili¬ 
tary  systems  such  as  the  National  Security  Agency’s  Multilevel  Information 
Systems  Security  Initiative  (MISSI).  MISSI  is  based  in  part  on  PEM.  While 
the  message  field  names  and  structure  may  differ  somewhat  between  MISSI 
and  PEM,  the  analytical  techniques  used  here  are  applicable  to  both. 

We  use  several  means  of  description.  Informal  descriptions  are  used  to 
give  an  intuitive  notion  of  behavior,  properties,  or  requirements.  These 
are  derived  from  the  above-cited  documents.  Formal  descriptions  are  de¬ 
rived  from  the  informal  descriptions.  These  are  intended  to  be  precise 
descriptions  of  behavior  which  are  subject  to  rigorous  analysis.  The  types 
of  analysis  done  includes  correctness  -  e.g.  ensuring  requirements  are  met, 
and  behavioral  properties  -  e.g.  security  properties. 

Our  formal  descriptions  focus  on; 


•  Structure  of  well-formed  messages. 

•  Interpretation  of  message  structures. 

•  Correctness  of  functions  operating  on  messages. 


Higher-order  logic  is  used  throughout.  Verification  is  done  using  the 
Higher  Order  Logic  (HOL)  theorem-prover,  [5]. 
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The  work  described  here  builds  on  two  previous  efforts  to  formally  model 
MISSI.  The  first  effort  by  Johnson,  Saydjari,  and  Van  Tassel  in  [4]  defines 
various  MISSI  security  properties  in  higher-order  logic.  The  MISSI  Certifi¬ 
cate  Authority  Workstation  (CAW)  has  been  modeled  by  Marron  using  a 
CSP  (Communicating  Sequential  Process)-like  [6]  process  language  called 
PROMELA  and  the  5P/iV  model  checker,  [10], 


1.2  Network  Components 


The  objective  is  to  send  messages  securely  from  one  local  area  network 
(LAN)  to  another  over  a  wide  area  network  (WAN)  like  the  Internet.  Com¬ 
ponents  appear  within  the  context  of  a  WAN  or  LAN.  Section  1.2.1  gives 
an  overview  of  components  which  exist  in  the  WAN.  Section  1.2.2  gives  an 
overview  of  components  which  exist  within  LANs. 


1.2.1  WAN  Components 

Figure  1.1  shows  two  local  area  networks,  called  enclaves  in  MISSI,  con¬ 
nected  to  a  WAN  with  a  Directory  System  and  an  Electronic  Key  Manage¬ 
ment  System  Central  Facility  (EKMS  CF). 


Figure  1.1  Wide  Area  Network  Components 

From  Figure  1.1  we  can  see  that  the  concern  is  with  secure  electronic 
mail  between  enclaves  or  LANs.  Local  security  issues  within  a  particular 
enclave  are  not  addressed. 
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1.2.  NETWORK  COMPONENTS 


The  Directory  System  functions  as  a  “yellow-pages”  for  looking  up  peo¬ 
ple’s  security  information  such  as  cryptographic  key  information,  crypto¬ 
graphic  algorithms,  the  authority  which  has  certified  the  authenticity  of  the 
information,  and  the  duration  or  times  for  which  the  information  is  valid. 

The  Electronic  Key  Management  System  Central  Facility  serves  as  1) 
the  ultimate  certification  authority  via  the  Root  Certificate  Authority  Work¬ 
station,  2)  support  for  replacing  cryptographic  keys  (rekeying)  which  have 
expired  via  the  Rekey  Manager,  and  3)  support  for  Compromised  Key  Lists 
(CKL). 

When  a  sender  or  originator  in  one  enclave  wishes  to  send  email  to  a  re¬ 
ceiver  or  recipient  in  another  enclave,  the  originator  gets  from  the  Directory 
System  the  necessary  cryptographic  keys  and  authorization  to  communicate 
with  the  recipient.  To  check  if  the  cryptographic  keys  are  still  valid,  the 
Compromised  Key  List  is  checked  to  see  if  the  received  keys  are  invalid 
because  they  have  been  compromised.  As  keys  have  finite  lifetimes,  user 
cryptographic  keys  must  be  replaced.  This  is  done  by  the  Rekey  Manager. 

1.2.2  LAN  Components 

Figure  1.2  shows  the  principal  components  within  an  enclave  or  local  area 
network.  In  general,  enclaves  may  have  both  trusted  and  untrusted  work¬ 
stations.  The  functions  of  the  principal  LAN  components  are  illustrated  by 
the  sending  of  email. 


Figure  1.2  Local  Area  Network  Components 

To  send  email,  the  originator  must  first  be  registered  or  certified  as  a  valid 
system  user.  This  is  done  by  the  local  Certificate  Authority  Workstation 
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(CAW).  Certified  users  have  cryptographic  information  and  authorizations 
assigned  to  them  by  the  CAW .  Cryptographic  information  and  authoriza¬ 
tions  are  stored  in  data  structures  called  certificates.  Certificates  are  the 
means  by  which  cryptographic  information  is  distributed  through  networks. 

Users  have  “smart  cards”  called  Crypto  Peripherals  (CP)  or  Personal 
Computer  Memory-Card  International  Assoeiation  (PCMCIA)  cards.  Like 
everyday  ATM  cards,  these  cards  have  a  PIN  number  known  only  to  the 
user.  What  makes  the  cards  smart  is  the  information  contained  within 
them  including:  cryptographic  algorithms,  keys,  and  authorizations.  Type 
1  cards  are  approved  for  handling  classified  U.S.  Government  information. 
Type  2  cards  are  approved  for  handling  sensitive  but  unclassified  (SBU) 
information.  The  FORTEZZA  card  [12]  is  an  instance  of  such  a  card. 
Details  of  its  operation  are  not  important. 

A  workstation  with  a  PCMCIA  card  reader  will  take  a  PCMCIA  card 
and  use  the  cryptographic  information  on  it  for  various  secure  email  func¬ 
tions  like  encryption.  Registered  user,  have  access  to  a  variety  of  MISSI 
functions  depending  on  their  authorizations. 

The  first  step  in  sending  out  mail  is  giving  the  destination  address. 
Destination  addresses  can  be  gotten  from  the  Directory  System.  If  the 
message  is  going  to  several  recipients,  i.e.  is  being  sent  to  a  distribution 
list,  the  message  is  sent  to  the  Mail  List  Agent  which  forwards  the  message 
to  each  recipient  after  checking  each  of  their  credentials. 

The  Secure  Network  Nerner  (SNS)  serves  as  a  guard  or  firewall  between 
the  enclave  and  the  WAN.  Messages  from  untrusted  workstations  within 
an  enclave  must  pass  through  the  SNS  before  going  out  on  the  WAN.  The 
SNS  ensures  only  encrypted  messages  go  to  the  WAN. 

Messages  from  trusted  workstations  may  or  may  not  go  through  the 
SNS.  If  a  trusted  workstation  has  “downgraded”  the  security  classification 
of  a  message,  this  downgrade  must  be  approved  by  the  SNS. 

Messages  classified  as  top  secret  or  higher  must  pass  through  the  SNS 
and  then  be  encrypted  by  an  In-line  Network  Encryptor  (INE)  regardless  of 
whether  or  not  they  were  generated  by  a  trusted  or  untrusted  workstation. 


1.3  Electronic  Mail  Scenario 

A  typical  scenario  is  described  by  Marron  in  [10]  as  follows.  Emily  is  in 
enclave  A.  She  is  registered  and  has  a  certificate  with  her  cryptographic  in¬ 
formation  authorized  by  the  Certificate  Authority  Workstation  in  enclave 
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A  (CAWA).  Benjamin  is  a  valid  user  in  enclave  B  and  has  a  certificate 
with  his  cryptographic  information  authorized  by  the  Certificate  Authority 
Workstation  in  enclave  B  (CAWB).  Both  CAWA’s  and  CAWB’s  certificates 
are  authorized  by  a  Policy  Creation  Authority  (PCA),  and  the  PCA’s  cer¬ 
tificate  was  issued  by  the  Policy  Approving  Authority  (PA A). 

Emily  wishes  to  send  an  encrypted  message  to  Benjamin,  so  she  does 
the  following: 

1.  Computes  her  signature  (an  encrypted  message  based  on  the  message 
text)  -  this  is  easy  since  she  knows  her  own  key  material. 

2.  Electronically  requests  Benjamin’s  certificate  from  the  Directory  Ser¬ 
vice  Agent  (DSA).  Benjamin’s  certificate  arrives,  Emily  sees  that  it 
is  signed  by  CAWB,  so  she  requests  CAWB’s  certificate. 

3.  Similarly,  she  next  requests  the  PCA’s  certificate. 

4.  After  receiving  the  PCA’s  certificate,  she  can  validate  it  without 
further  DSA  access,  since  the  issuers  (PAA’s)  public  key  material  is 
loaded  in  her  FORTEZZA  (Plus).  She  then  validates  the  certificate 
for  CAWB  and,  finally,  for  Benjamin. 

5.  Now  Emily  has  the  necessary  key  material  to  perform  the  public  key 
exchange  with  Benjamin  and  mail  her  message. 


1.4  Motivation 


The  security  requirements  placed  on  systems  such  as  PEM  and  MISSI  raise 
the  fundamental  question,  “how  will  we  ■precisely  wnderstand  the  security 
requirements  and  by  what  means  will  we  assure  our  designs  satisfy  them?” 
In  other  words,  how  do  we  build  it  and  how  do  we  know  it  works? 

The  engineering  view  we  adopt  is  to  use  techniques  which  answer: 

1.  What  objects  are  built? 

2.  What  are  the  operations  on  the  objects? 

3.  How  is  it  known  if  the  objects  are  correct? 

In  the  case  of  PEM  and  MISSI,  the  objects  of  interest  are  electronic 
mail  messages.  Messages  have  defined  structures.  Just  as  language  syntax 
is  assigned  meaning  by  a  semantic  interpretation,  messages  have  a  security 
interpretation  as  well.  Security  functions  and  services  are  determined  by 
the  particular  message  type  or  structure. 
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1.5  Structure  of  this  Report 

An  informal  overview  of  security  functions  in  general  and  PEM  in  partic¬ 
ular  is  given  in  Chapter  2.  A  formal  theory  in  higher-order  logic  of  PEM 
message  formats,  message  operations,  and  security  properties  is  developed 
in  Chapter  3.  Conclusions  are  given  in  Chapter  4. 

Appendix  A  defines  the  notational  conventions  of  extended  Backus-Naur 
Form  (BNF).  Appendix  B  is  a  listing  of  the  theory  defining  the  message 
structure  of  PEM  messages  in  higher-order  logic.  Appendix  C  is  a  listing  of 
the  theory  defining  the  operations  on  PEM  message  structures.  Appendix  D 
shows  the  theory  applicable  to  MIC-CLEAR  messages,  i.e.  messages  which 
are  transmitted  without  encryption  or  encoding  but  are  checked  for  in¬ 
tegrity.  Appendix  E  shows  the  theory  applicable  to  ENCRYPTED  mes¬ 
sages.  In  particular,  it  shows  the  correctness  of  the  checks  for  privacy, 
message  integrity,  source  authenticity,  and  non-deniability. 
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Privacy  Enhanced  Mail 


PEM  adds  privacy,  source  authentication,  integrity  protection,  and  non¬ 
repudiation  services  to  plain  text  email  on  the  Internet.  PEM  is  docu¬ 
mented  in  four  Request  for  Comments  (RFC)  documents.  RFC  1421  [9]  de¬ 
scribes  message  encryption,  authentication  procedures,  and  formats.  RFC 
1422  [8]  describes  certificate-based  key  management.  RFC  1423  [1]  de¬ 
scribes  algorithms.  RFC  1424  [7]  describes  key  certification. 

MISSI  is  similar  to  Internet  Privacy  Enhanced  Mail  (PEM)  with  the 
exception  that  MISSI  uses  guards  to  protect  enclaves  from  inappropriately 
releasing  classified  information. 


2.1  Security  Issues  for  Electronic  Mail 


Four  key  issues  for  secure  electronic  mail  are  identified  by  RFC  1421  and 
defined  by  Kaufman,  Perlman,  and  Speciner  in  [2]: 

•  privacy  -  the  ability  to  keep  anyone  but  the  intended  recipient  from 
reading  the  message. 

•  authentication  -  reassurance  to  the  recipient  of  the  identity  of  the 
sender. 

•  integrity  -  reassurance  to  the  recipient  that  the  message  has  not 
been  altered  since  it  was  transmitted  by  the  sender. 

•  non-repudiation  -  the  ability  of  the  recipient  to  prove  to  a  third 
party  that  the  sender  really  did  send  the  message,  i.e.  the  originator 
cannot  deny  sending  the  message. 

PEM  does  not  address  all  security  issues.  RFC  1421  identifies  the  fol¬ 
lowing  security  issues  not  addressed  by  PEM: 
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•  access  control  -  mechanisms  for  restricting  the  use  of  some  resource 
only  to  authorized  users. 

•  traffic  flow  confidentiality  -  preventing  knowledge  that  a  message 
was  sent. 

•  address  list  accuracy. 

•  routing  control. 

•  casual  serial  reuse  of  PCs  by  multiple  users. 

•  assurance  of  message  receipt  and  non-deniability  of  receipt. 

•  automatic  association  of  acknowledgments  with  the  mes¬ 
sages  to  which  they  refer. 

•  message  duplicate  detection  and  replay  prevention. 

In  this  chapter  we  will  describe  how  the  issues  of  privacy,  authentication, 
integrity,  and  non-repudiation  are  addressed  by  PEM.  Section  2.2  gives  an 
overview  of  cryptographic  functions  used  by  PEM.  Section  2.3  describes  the 
structure  of  PEM  messages.  Section  2.4  gives  examples  of  various  PEM 
messages  and  structures.  Section  2.5  describes  PEM’s  privacy  functions. 
Section  2.6  describes  PEM’s  methods  for  source  authentication.  Section 
2.7  describes  how  message  integrity  is  checked.  Section  2.8  describes  mech¬ 
anisms  for  non-repudiation. 


2.2  Cryptography 


Cryptography  serves  privacy  needs  by  encryption.  It  serves  source  authen¬ 
tication  and  non-repudiation  needs  through  the  use  of  secrets.  It  serves 
integrity  through  message  integrity  codes  (MIC)  for  secret  key  cryptogra¬ 
phy  or  digital  signatures  for  public  key  cryptography. 


2.2.1  Types  of  Cryptographic  Functions 

There  are  three  kinds  of  cryptographic  functions;  secret  key  functions, 
public  key  functions  and  hash  functions.  Public  key  cryptography  uses  two 
keys.  Secret  key  cryptography  use  one  key.  Hash  functions  uses  no  keys. 
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Secret  Key  Cryptography 


In  Secret  key  or  symmetric  cryptography,  the  same  key  s  is  used  for  both 
encryption  and  decryption,  as  shown  in  Figure  2.1.  Ciphertext  is  obtained 
by  applying  the  encryption  function  to  both  plaintext  and  the  secret  key. 
To  retrieve  the  original  plaintext,  decryption  function  is  applied  to  the 
ciphertext  and  the  same  secret  key.  A  message  m  encrypted  with  secret 
key  s  is  denoted  as  [mjj. 


plaintext 


encryption 


ciphertext 


(secret)  key 


ciphertext 


decryption 


plaintext 


Figure  2.1  Secret  Key  Cryptography 

Ideally  secret  key  cryptography  has  following  property;  a  message  en¬ 
crypted  with  secret  key  k  can  only  be  retrieved  (decrypted)  with  the  same 
secret  key.  When  an  initial  vector(IV)  is  utilized  in  the  cryptographic  algo¬ 
rithm,  it  must  be  the  same  for  both  encryption  and  decryption.  This  can 
be  formalized  as: 


Mmsg  key  IV. 

{decrypts  {encryptS  msg  key  IV)  key  IV  =  msg)  A  (2.1) 

(ymsg2  key2.  {decrypts  msg2  key  IV  = 
decrypts  msg2  key2  IV)  =  key  =  key2) 


The  secret  key  scheme  can  be  used  to  generate  a  fixed-length  crypto¬ 
graphic  checksum  associated  with  a  message,  as  shown  in  Figure  2.2,  this 
message  integrity  code  (MIC)  can  be  used  to  check  the  integrity  of  the 
message  sent  along  with  it  (see  section  2.2.4). 
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secret  key 


Figure  2.2  Message  Integrity  Code 
Public  Key  Cryptography 

In  public  key  or  asymmetric  cryptography,  each  individual  has  a  pair  of 
keys:  a  private  key  d  only  known  to  the  owner,  and  a  corresponding  public 
key  e  that  is  accessible  by  the  world.  The  public  key  is  used  for  encryption 
and  the  private  key  is  used  for  decryption.  This  is  shown  in  Figure  2.3.  A 
message  m  encrypted  using  public  key  e  is  denoted  as  {m}e. 


encryption 

plaintext  - - ^  ciphertext 

public  key 
private  key 

ciphertext  - - ^  plaintext 

decryption 

Figure  2.3  Public  Key  Cryptography 

Public  key  cryptography  has  following  property:  a  message  encrypted 
with  public  key  e*  can  only  be  retrieved  (decrypted)  with  an  unique  private 
key  dk]  on  the  other  hand,  a  message  encrypted  with  private  key  dk  can 
only  be  retrieved  (decrypted)  with  the  unique  public  key  Ck  ■  This  can  be 
formalized  as: 

'imsg  eKEY  dKEY. 

{(decryptP  (encryptP  msg  eKEY)  dKEY  =  msg)  =  (2.2) 
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(encryptP  (decryptP  msg  dKEY)  eKEY  =  msg))  A 

(^[decryptP  {^encryptP  msg  eKEY)  dKEY  =  msg)  D  (2*3) 

((Vdfc.  {decryptP  {encryptP  msg  eKEY)  dk  =  msg)  0  dk  —  dKEY)  A 
{Vek.  {encryptP  {decryptP  msg  dKEY)  ek  =  msg)  3  efc  =  eKEY)) 

Public  key  cryptography  can  be  used  to  generate  signature  on  any  mes¬ 
sage.  The  signature  can  be  verified  by  anyone  who  knows  the  public  key 
of  the  signer,  and  can  only  be  generated  by  the  one  who  knows  the  corre¬ 
sponding  private  key.  This  is  shown  in  Figure  2.4.  These  two  properties 
can  be  formalized  as  follows: 


Vml  m2  dkeyl  dkey2.  {sign  ml  dkeyl  =  sign  m2  dkey2)  (2.4) 

3  (ml  =  m2)  A  {dkeyl  =  dkey2) 

Ymsg  eKEY  dKEY.  verify  msg  {sign  msg  dKEY)  eKEY  3  (2.5) 

(Vml  m2.verify  ml  m2  eKEY  =  (m2  =  sign  ml  dKEY)) 


plaintext 


signing 

~ir- 


private  key 


signature 


public  key  plaintext 


signature 


Y  y _ ^  True /False 

verification 


Figure  2.4  Signature 

The  counterpart  of  MICs  for  public  key  cryptography  are  digital  signa¬ 
tures  as  shown  in  Figure  2.5.  They  are  used  to  check  integrity. 

Hash  Functions 

Hash  functions  are  message  digests  or  one-way  transformations.  A  crypto¬ 
graphic  hash  function  is  a  mathematical  transformation  that  takes  a  mes- 
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message 


hash 


message  digest 


signing 


digital  signature 


private  key 


Figure  2.5  Digital  Signature 


sage  of  arbitrary  length  and  computes  from  it  a  fixed  length  number. 

Hash  functions  have  the  following  properties: 

•  If  h(mo )  denotes  the  hash  of  the  message  mo,  there  is  no  substantially 
easier  way  to  find  an  m  whose  hash  is  h{mo)  without  going  through 
all  values  of  m  to  search  for  h(mo). 

•  It  is  computationally  infeasible  to  find  two  values  of  m  which  hash 
to  the  same  value. 

Essentially,  hash  functions  behave  like  one-to-one  functions,  i.e., 

'im  m' .  h{m)  =  h(m')  3  m  =  m'  (2.6) 


2.2.2  Privacy 

Privacy  is  obtained  through  encryption.  If  Emily  wants  to  send  Benjamin 
a  mail  that  only  Benjamin  can  read,  she  will  choose  a  random  secret  key 
S  to  be  used  only  for  encrypting  that  one  message  m.  She  encrypts  the 
message  with  S  to  get  [m]s,  encrypts  S  with  Benjamin’s  public  key  bb 
to  get  public  key  cryptography  is  used)  or  with  the  secret  key 

she  shares  with  Benjamin  Keb  to  get  secret  key  cryptography  is 

used),  and  transmits  both  to  Benjamin. 

Privacy  in  PEM  is  gotten  by  using  any  of  the  following  cryptographic 
functions:  DES-CBC  for  secret  key  encryption  of  messages;  DES-EDE  for 
secret  key  encryption  of  Data  Encryption  Keys  (DEKs);  DES-ECB  for  se¬ 
cret  key  encryption  of  DEKs;  RSA  for  public  key  encryption  of  DEKs  and 
signatures.  Summaries  of  each  of  the  encryption  algorithms  mentioned  here 
are  found  in  [2]. 
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2.2.3  Authentication 


Authentication  verifies  the  identity  of  the  communicating  party.  Encryption 
is  used  to  prove  the  knowledge  of  secrets,  hence  to  verify  identities.  The 
means  for  doing  so  are  variations  on  a  challenge/response  protocol.  A 
challenge  is  issued  by  the  party  wishing  to  verify  the  identity  of  the  other 
principal.  The  principal,  whose  identity  is  being  checked,  issues  a  response 
based  on  the  use  of  a  secret  key  or  public  key  cryptography. 

In  secret  key  cryptography,  if  Emily  wants  to  verify  the  identity  of 
Benjamin,  she  issues  a  challenge,  a  random  picked  number  r,  and  sends 
it  to  Benjamin.  Benjamin  encrypts  the  r  with  the  the  secret  key  Keb  he 
shares  with  Emily  and  sends  it  back  to  Emily.  Emily  decrypts  the  response 
with  Keb  and  checks  to  see  if  she  got  back  r  (see  Figure  2.6). 


Emily 


Benjamin 


r 


decrypt  to  r  with 


T  encrypted  with  Kgg 


Figure  2.6  Secret  Key  Authentication 


If  public  key  cryptography  is  used,  Emily  chooses  a  random  number  r, 
encrypts  it  with  Benjamin’s  public  key  cb  and  sends  the  result  to  Benjamin. 
Benjamin  proves  he  knows  his  private  key  ds  by  decrypting  the  message 
and  sending  rback  to  Emily  (see  Figure  2.7). 


Emily 


Benjamin 


encrypt  r  using  eg 


decrypt  to  r  using  dg 
_  r 


Figure  2.7  Public  Key  Authentication 
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2.2.4  Integrity 

Integrity  of  a  message  is  maintained  by  using  either  a  MIC  (in  secret  key 
cryptography)  or  a  digital  signature  (in  public  key  cryptography)  shown  in 
Figure  2.2  and  Figure  2.5. 

For  secret  key  cryptography,  a  MIC  is  computed  by  using  a  secret  key 
with  a  known  checksum  algorithm.  It  is  included  as  part  of  the  header  sent 
along  with  the  message  to  the  recipients.  The  recipients  compute  the  MIC 
for  the  message  they  receive  and  compare  it  to  the  MIC  received  in  the 
header.  If  the  MICs  match,  then  the  message  is  genuine  (see  Figure  2.8). 


plaintext 


hash 


message  digest 


secret  key 


MIC 


encryption 


a  d 

*  k 

7“* - ' 

secret  key 

1 

MIC  _ i _ 3^(2) 


decryption 


'  hash 

plaintext  _ ^  message  digest 


True  /  False 


Figure  2.8  Integrity  Check  using  a  MIC 

For  public  key  cryptography,  integrity  is  protected  by  digital  signatures. 
If  Emily  wants  to  send  Benjamin  a  message  which  is  integrity  protected, 
she  generates  the  digital  signature  of  the  message  using  her  private  key, 
and  send  it  along  with  the  message  to  Benjamin.  When  Benjamin  receives 
the  message  with  its  digital  signature,  he  verifies  the  digital  signature  with 
Emily’s  public  key  (see  Figure  2.9). 

Hash  functions  are  used  with  public  keys  for  integrity  protection  (see 
Figure  2.9).  Signing  a  message  digest  is  much  quicker  than  signing  a  mes¬ 
sage  itself.  When  the  signature  of  the  message  digest  is  sent  with  the 
message  to  recipients,  the  recipients  generate  the  message  digest  from  the 
message,  and  verify  the  signature  of  the  digest  to  check  the  integrity  of  the 
message. 
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hash 


plaintext 


plaintext 


hash 


private  key 


message  digest 


digital  signature 


sign 


-0- 


digital 

signature  public  key 


message  digest 


True  /  False 


verifying 


Figure  2.9  Integrity  Check  using  a  Digital  Signature 

2.2.5  Non-repudiation 

Non-repudiation  is  the  ability  of  the  recipient  to  prove  to  a  third  party 
that  the  sender  really  did  send  the  message.  It  comes  automatically  with 
public  key  cryptography  as  only  the  person  who  knows  the  private  key  can 
generate  the  signature.  Comparing  the  message  digest  with  the  signature 
decrypted  using  originator’s  public  key  is  all  that  is  required. 


2.3  Structure  of  PEM  Messages 

This  section  describes  the  structure  of  a  PEM  message.  It  is  excerpted 
from  RFC  1421,  Privacy  Enhancement  for  Internet  Electronic  Mail:  Part 
I:  Message  Encryption  and  Authentication  Procedures,  [9].  Included  is  an 
additional  message  type,  CRL-retrieval  request  as  described  in  RFC  1424, 
Key  Certification  and  Related  Services,  [7]. 

The  notation  used  is  augmented  Backus-Naur  Form  (BNF)  as  described 
in  RFC  822,  [3].  A  full  description  of  the  augmented  BNF  is  in  Appendix 
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A. 


Figure  2.10  defines  the  top-level  structure  of  a  PEM  message.  The  top- 
level  structure  includes: 

•  A  Pre-Encapsulation  Boundary  (preeb): 

- BEGIN  PRIVACY-ENHANCED  MESSAGE - 

•  A  PEM  header  (pemhdr)  containing  encryption  information. 

•  A  carriage-return-linefeed  (CRLF)  with  the  message  text  (pemtext), 
if  any. 

•  A  Post- Encapsulation  Boundary  (posteb): 

- END  PRIVACY-ENHANCED  MESSAGE - 


;  PEM  BNF 

representation,  using  RFC  822  notation. 

;  imports  field  meta-syntax  (field,  field-name,  field-body, 

;  field-body-contents)  from  RFC-822,  sec.  3.2 
;  imports  DIGIT,  ALPHA,  CRLF,  text  from  RFC-822 
;  Hote:  algorithm  and  mode  specifiers  are  officially  defined 
;  in  RFC  1423 

<pemmsg> 

:=  <preeb> 

<pemhdr> 

[CRLF  <pemtext>]  ;  absent  for  CRL  message 

<posteb> 

<preeb>  : 
<posteb> 

=  " - BEGIH  PRIVACY-ENHAHCED  MESSAGE - "  CRLF 

:=  " - END  PRIVACY-ENHANCED  MESSAGE - "  CRLF  /  <preeb> 

<pemtext> 

;;=  <encbinbody>  ;  for  ENCRYPTED  or  MIC-ONLY  messages 

/  ♦«text>  CRLF)  ;  for  MIC-CLEAR 

<pemhdr> 

:=  <normalhdr>  /  <crlhdr> 

Figure  2.10  Top-Level  PEM  Message  Structure 

A  template  of  an  encapsulated  message  taken  from  RFC  1421,  [9]  is 
shown  below  in  Figure  2.11.  The  message  components  <peinhdr>  and 
<peititext>  are  the  encapsulated  header  and  encapsulated  text  portions  of 
the  message.  These  are  described  below. 

Two  types  of  encryption  keys  are  used  in  PEM  as  reported  in  RFC  1421, 
[9]. 
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Pre-Encapsulation  Boundary  (Pre-EB) 

- begin  privacy-ehhabced  message - 

Encapsulated  Header  Portion 

(Contains  encryption  control  fields  inserted  in  plaintext. 
Examples  include  "DEK-Info:”  and  'Key-Info.  . 

Bote  that,  although  these  control  fields  have  line-oriented 
representations  similar  to  RFC  822  header  fields,  the  set 
of  fields  valid  in  this  context  is  disjoint  from  those  used 
in  RFC  822  processing.) 

Blank  Line 

(Separates  Encapsulated  Header  from  subsequent 
Encapsulated  Text  Portion) 

Encapsulated  Text  Portion 

(Contains  message  data  encoded  as  specified.) 

Post-Encapsulation  Boundary  (Post-EB) 

- ebb  PRIVACy-EBHABCED  MESSAGE - 


Figure  2.11  Encapsulated  Message  Format 


•  Data  Encryption  Keys  (DEKs)  are  used  for  encrypting  message  text 
and  for  message  integrity  codes  (MICs).  These  keys  are  generated 
on  a  per-message  basis  with  no  prior  pre-distribution. 

•  Interchange  Keys  (IKs)  are  used  to  encrypt  DEKs  for  transmission 
within  messages.  IKs  are  used  over  a  period  of  time.  They  are 
typically  the  secret  or  public  keys  of  principals  depending  on  whether 
secret  or  public  key  encryption  is  used. 


2.3.1  Encapsulated  Header  Portion 

The  header  portion  of  the  message  has  the  encryption  control  information 
necessary  to  decrypt  the  encapsulated  message  text  portion  of  a  PEM  mes¬ 
sage.  Its  format  is  defined  by  RFC  1421.  Its  BNF  description  is  in  Figure 

2.12. 

There  are  two  types  of  headers: 


•  normal  headers  <normalhdr>  -  used  for  messages  that  are  not  re¬ 
quests  related  to  certificate  revocation  lists  (CRLs). 
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•  headers  for  CRLs  <crllidr>  -  used  for  messages  related  to  CRLs. 


<normalhdr>  : :=  <proctype> 

<contentdomain> 

[<dekinfo>]  ;  needed  if  ENCRYPTED 

(l*(<origflds>  ♦<recipflds>))  ;  symmetric  case  — 

;  recipflds  included  for  all  proc  types 
/  ((l*<origflds>)  ♦(<recipflds>))  ;  asymmetric  case  — 

;  recipflds  included  for  ENCRYPTED  proc  type 

<crlhdr>  ; :=  <proctype> 

l*(<crl>  [<cert>!I  *(<issuercert>) ) 

<asymmorig>  :  :=  <origid-asyinm>  /  <cert> 

<origflds>  ;  ;=  <asyinmorig>  [<keyinfo>]  ♦(<issuercert>) 

<micinfo>  ;  asymmetric 

/  <origid-symm>  [<keyinfo>]  ;  symmetric 

<recipflds>  : :=  <recipid>  <keyinfo> 


Figure  2.12  PEM  Header  Structure 


Normal  Headers 


Normal  headers  contain: 


•  process  type  <proctype>  -  the  version  number  of  PEM  being  used 
and  the  type  of  PEM  message.  In  this  case,  version  4  is  the  only 
possibility.  PEM  message  types  can  be  ENCRYPTED,  MIC-ONLY, 
MIC-CLEAR,  CRL,  or  CRL-RETRIEVAL-REQUEST.  See  Figure  2.13. 

•  content  domain  <contentdomain>  -  the  type  of  mail  message,  in  this 
case  the  only  possibility  is  RFC822  which  identifies  it  as  an  ARPA 
Internet  text  message.  See  Figures  2.13  and  2.15. 

•  data  encrypting  key  information  <dekinf  o>  -  required  for  ENCRYP¬ 
TED  messages.  See  Figures  2.13  and  2.15. 

•  One  or  more  originator  fields  <origf  lds>  with  zero  or  more  recipient 
fields  <recipflds>.  The  required  fields  depend  on  whether  secret 
or  public  key  cryptography  is  used.  See  Figures  2.13  and  2.14. 
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;  definitions  for  PEM  header  fields 


<proctype>  ::=  "Proc-Type"  "4"  <pemtypes>  CRLF 
<contentdomain>  : :=  "Content-Domain"  ";"  <contentdescrip>  CRLF 
<dekinfo>  ::=  "DEK-Info"  ":"  <dekalgid>  [  "."  <dekparameters>  ]  CRLF 
<symmid>  ::=  <IKsubfld>  "."  [<IKsubfld>]  ","  [<IKsubfld>] 

<asymmid>  : :=  <IKsubfld>  <IKsubfld> 

<origid-asymm>  ; :=  "Originator-ID-Asymmetric"  ":"  <asymmid>  CRLF 
<origid-syinm>  :  :=  "Qriginator-ID-Syiranetric"  ":"  <symmid>  CRLF 
<recipid>  :;=  <recipid-asymm>  /  <recipid-symm> 

<recipid-asymm>  : :=  "Recipient-ID-Asymmetric"  ":"  <asymmid>  CRLF 
<recipid-synun>  ; ;=  "Recipient-ID-Symmetric"  <symmid>  CRLF 
<cert>  : ;=  "Originator-Certificate"  <encbin>  CRLF 
<issnercert>  : "Issuer-Certificate"  ":"  <encbin>  CRLF 
<micinfo>  : :=  "MIC-Info"  ":"  <micalgid>  ","  <ikalgid> 

<asymsignmic>  CRLF 

<keyinfo>  ; :=  "Key-Info"  <ikalgid>  <micalgid> 

<symencdek>  <syroencmic>  CRLF  ;  symmetric  case 
/  "Key-Info"  ":"  <ikalgid>  <asymencdek> 

Qorp  ;  asymmetric  case 


<crl>  ::=  "CRL"  <encbin>  CRLF 
<pemtypes>  : ;=  "EHCRYPTED"  /  "HIC-OHLY"  / 
/  "CRL-RETRIEVAL-REQUEST" 


"HIC-CLEAR" 


/ 


"CRL 


II 


Figure  2.13  PEM  Header  Fields 


-  Secret  (symmetric)  key  case;  the  <origf lds>  consists  of  the 
originator’s  id  <origid-syinm>  and  optional  key  information 
<keyinfo>.  Id’s  typically  look  like:  chinQcat.syr.edu  with 
additional  information  on  interchange  keys  (IKs).  See  Figures 
2.12  and  2.13. 

-  Public  (asymmetric)  key  case:  the  <origflds>  consists  of.  1) 
the  asymmetric  originator’s  id  <asymmorig>  which  is  either  the 
asymmetric  originator’s  id  <origid-asymm>  (as  in  the  secret 
key  case)  or  the  certificate  <cert>  of  the  originator;  2)  optional 
key  information  <keyinf o>;  3)  zero  or  more  issuer  certificates 
<issuercert>;  and  4)  message  integrity  code  <micinf  o>  infor¬ 
mation.  See  Figures  2.13,  2.14,  and  2.15.  Details  on  certificates 
are  in  Section  2.6. 


CRL  Headers 
CRL  headers  contain: 
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•  process  type  -  same  as  for  normal  headers. 

•  at  least  one  CRL  with  an  optional  certificate  and  zero  or  more  issuer 
certificates.  See  Figure  2.13. 


Certificates  are  used  to  authenticate  principals.  Details  are  in  Section 

2.6. 


2.3.2  Encapsulated  Text  Portion 

An  important  distinction  is  to  be  made  between  encoded  versus  encrypted 
messages.  Encoded  messages  are  those  which  have  been  modified  in  such  a 
way  so  that  there  are  no  “funny  characters”  and  no  lines  which  are  too  long 
which  would  cause  any  mail  system  to  modify  the  message  contents.  An 
example  of  this  is  the  UNIX  uuencode  program.  Of  course,  such  encodings 
must  be  readily  reversible  so  that  the  un-encoded  text  can  be  retrieved,  e.g. 
the  UNIX  nudecode  program.  Encrypted  messages  are  messages  which  have 
been  processed  using  a  cryptographic  algorithm  which  of  course,  should 
only  be  reversible  by  those  having  the  proper  keys. 

Table  2.1  gives  the  encoding  used  by  PEM.  The  encoding  works  as 
follows: 


•  PEM  sends  encoded  information  32-bits  at  a  time  which  corresponds 
to  four  8-bit  encoded  characters. 

•  The  four  encoded  8-bit  characters  are  derived  from  four  6-bit  inputs. 
The  six  input  bits  have  a  range  of  possible  values  from  Oio  to  63io  - 
OOOOOO2  to  IIIIII2. 

•  Each  6-bits  is  encoded  eis  an  ASCII  character  as  shown  in  Table  2.1. 
For  example,  OOOOOO2  is  encoded  as  ASCII  character  A. 

•  Each  ASCII  character  is  sent  out  as  an  8-bit  quantity  -  7-bits  rep¬ 
resenting  the  character  plus  one  bit  for  parity  (the  most-significant 
bit).  For  example,  A  has  an  8-bit  hex  encoding  41i6  or  OIOOOOOI2. 
This  can  be  sent  as  PIOOOOOI2  where  P  is  the  parity  bit.  The  subset 
of  ASCII  characters  used  falls  in  the  range  at  or  below  7Aie,  so  the 
entire  subset  can  be  represented  with  7-bits  plus  one  bit  for  parity. 

•  Finally,  /o«r  encoded  6-bit  characters  {24-bits)  are  sent  at  a  time  as 
a  32-bit  word.  If  the  data  are  not  a  multiple  of  6-bits,  the  data  are 
extended  to  the  next  multiple  of  6-bits  by  adding  Os  as  padding  bits. 
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Table  2.1  PEM  6-Bit  Encoding 


valueio 

character 

ASCII  representation 

0 

A 

41  hex 

25 

Z 

5A  hex 

26 

a 

61  hex 

51 

z 

7  A  hex 

52 

0 

30  hex 

61 

9 

39  hex 

62 

+ 

2B  hex 

63 

/ 

2F  hex 

padding 

= 

3D  hex 

If  the  data  are  not  a  multiple  of  four  characters  {24-bits),  padding 
characters  are  sent.  Padding  characters  are  encoded  as  ASCII  =,  i.e. 
3Di6  or  POIIIIOI2. 


Figure  2.14  shows  BNF  form  of  the  encoded  binary  characters,  <encbin- 
char>.  <encbinchar>  are  the  upper  and  lower  case  letters  -  ALPHA;  the 
digits  0  through  9  -  DIGIT;  and  the  characters  +  ,  /,  and  =. 

A  group  of  encoded  binary  characters  <encbingrp>  is  exactly  four  en¬ 
coded  binary  characters  4*4<encbinchar>.  A  body  of  encoded  binary  char¬ 
acter  groups  is  zero  or  more  lines  of  up  to  16  character  groups  or  64  char¬ 
acters  per  line  -  *(16*16<encbingrp>  CRLF)  [l*16<encbingrp>  CRLF] . 
This  can  be  seen  in  the  example  messages  which  follow. 


2.4  Examples  of  PEM  Message  Types 

There  are  five  types  of  PEM  messages  -  1)  ENCRYPTED,  2)  MIC-CLEAR, 
3)  MIC-ONLY,  4)  CRL,  and  5)  CRL-RETRIEVAL-REQUEST.  ENCRYP¬ 
TED,  MIC-CLEAR,  and  MIC-ONLY  messages  have  secret  key  and  public 
key  variants. 
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<encbinchar>  : :=  ALPHA  /  DIGIT  /  "+"  /  "/"  /  "=" 

<encbingrp>  : :=  4*4<encbinchar> 

<encbin>  ; ;=  l*<encbingrp> 

<encbinbody>  : :=  *(16*16<encbingrp>  CRLF)  [l*16<encbingrp>  CRLF] 
<IKsubfld>  : :=  l*<ia-char> 

;  Bote:  removed  from  <ia-char>  set  so  that  Orig-ID  and  Recip-ID 

;  fields  can  be  delimited  with  commas  (not  colons)  like  all  other 
;  fields 

<ia-char>  :  :=  DIGIT  /  ALPHA  /  /  "+"  /  "(••  /  ")"  / 

M  I  I  I  I  I  .,g„  ! 

/  >•••  /  /  ••>•> 

<hexchar>  : :=  DIGIT  /  "A"  /  "B"  /  "C"  /  "D"  /  "E"  /  "F" 

;  no  loner  case 


Figure  2.14  Character  Descriptions 


ENCRYPTED  messages  indicate  their  message  bodies  are  encrypted. 
MIC-ONLY  messages  are  those  whose  messages  are  encoded  but  noi  en¬ 
crypted  and  have  a  MIC  computed  as  an  integrity  check.  MIC-CLEAR  mes¬ 
sages  are  those  whose  messages  are  neither  encoded  nor  encrypted  and  have 
a  MIC  computed  as  an  integrity  check.  CRL-RETRIEVAL-REQUEST 
messages  have  no  message  but  are  used  to  request  CRLs.  CRL  messages 
store  CRLs  or  reply  to  CRL  retrieval  requests. 


2.4.1  ENCRYPTED 


Public  Key  Variant 


Table  2.2  shows  the  format  of  PEM  messages  which  are  encrypted  using 
asymmetric  (public)  keys,  [2].  Figure  2.16  is  an  example  message  taken  from 
RFC  1421.  Figure  2.17  shows  the  processing  of  PEM  message  on  sender 
side,  Figures  2.18,  2.19  and  2.20  show  the  processing  of  PEM  message  on 
receiver  side. 


Secret  Key  Variant 

Table  2.3  shows  the  format  of  PEM  messages  which  are  encrypted  using 
symmetric  (secret)  keys,  [2].  Figure  2.21  is  an  example  message  taken  from 
RFC  1421. 
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Table  2.2  Encrypted,  Public  Key  PEM  Message  Format 


- BEOIH  PRIVACY-EIHAICEI)  lESSASE . 

pre-encapsulation  boundary 

Proo-Type:  4,  EHCRYPTED 

type  of  PEM  message  (version, type) 

Content-Domiin:  RFC822 

message  form 

lEK-Iiufo:  BES-CBC,  16  hex  digits 

message  encryption  algorithm,  IV 

Drij:iiiJ.toT-CeitiiitJ.te:  cybercrud 

sender’s  encoded  certificate  (optional) 

Diiginitoi-IB-Asymmetiic:  cybercrud, number 

sender  ID 

(■present  only  if  sender’s  certificate  not  present) 

Eev-Inio:  hik, cybercrud 

kev-info  for  CC’d  sender  (if  needed) 

Issuer?C©rtiiica.t0!  cybercrud 

sequence  of  zero  or  more  CA  certificates 

(possibly  whole  chain  from  the  sender’s 
certificate  to  the  IPRA’s) 

IlC-Inio:  BSA-IBi.RSA, cyiercrud 

message  digest  algorithm,  message  digest 

encryption  algorithm,  encoded  encrypted  MIC 

Recipient- ID-Asyiiuiietxit:  cybercrud, number 

Eey-Inio:  RSA,  cybercrud 

For  each  recipient: 

recipient  ID  (encoded  X.500  name  of  CA 

that  signed  certificate,  certificate  serial 
number);  key-info  for  recipient 

Blank  line 

cybercrud 

encoded  encrypted  message 

- EBB  PRmCJ-EHHAICEB  HESSABE . 

post-encapsulation  boundary 

Table  2.3  Encrypted,  Secret  Key  PEM  Message  Format 


- BESIE  PRIVACV-EHHAICEI  lESSASE . 

pre-encapsulation  boundary 

Proc-Typs:  4,  ESCHYPTED 

type  of  PEM  message  (version,type) 

Content-Domiin:  BFC822 

message  form 

BEK-Info:  BES-CBC,  16  hex  digits 

message  encryption  algorithm,  IV 

Diiginitor-ID-SynmQtxic;  entity  identifier, 
issuing  authority,  version/ expiration 

sender  ID 

Reclpient-IB-Symmetric:  entity  identifier, 

issuing  authority,  version/expiration 
ley-Ialo:  ESA,  cybercrud 

For  each  recipient: 

recipient  ID;  key-info  for  recipient 

Blank  line 

cybercrud 

encoded  encrypted  message 

1  - ebb  PRIVACy-EHHABCEB  HESSASE . 

post-encapsulation  boundary 
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:  This  specification  defines  one  value  ("RFC822")  for 
;  <contentdescrip> :  other  values  may  be  defined  in  future  in 
;  separate  or  successor  documents 

<contentdescrip>  ;  ;=  ■•RFC822" 

;  Addendum  to  PEH  BNF  representation,  using  RFC  822  notation 
:  Provides  specification  for  official  PEH  cryptographic  algorithms, 
;  modes,  identifiers  and  formats. 

;  Imports  <hexchar>  and  <encbin>  from  RFC  [1421] 

<dekalgid>  : :=  "DES-CBC" 

<ikalgid>  ; ;=  "DES-EDE"  /  "DES-ECB"  /  "RSA" 

<sigalgid>  ;:=  "RSA" 

<micalgid>  : :=  "RSA-HD2"  /  "RSA-HDS" 

<dekparameters>  : <DESCBCparameters> 

<DESCBCparameters>  : :=  <IV> 

<IV>  ; ;=  <hexcharl6> 

<symencdek>  : :=  <DESECBencDESCBC>  /  <DESEDEencDESCBC> 
<DESECBencDESCBC>  : <hexcharl6> 

<DESEDEencDESCBC>  : :=  <hexcharl6> 

<symencmic>  :;=  <DESECBencRSAHD2>  /  <DESECBencRSAMD5> 

<DESECBencRSAHD2>  : :=  2»2<hexcharl6> 

<DESECBencRSAMD5>  ::=  2*2<hexcharl6> 

<asymsignmic>  : :=  <RSAsignmic> 

<RSAsignmic>  ::=  <encbin> 

<asymencdek>  : :=  <RSAencdek> 

<RSAencdek>  ; :=  <encbin> 

<hexcharl6>  : :=  16*16<hexchar> 


Figure  2.15  PEM  Cryptographic  Algorithms,  Modes,  and  Identifiers 


2.4.2  MIC-ONLY  or  MIC-CLEAR 


Public  Key  Variant 


Table  2.4  shows  the  format  of  MIC-ONLY  and  MIC-CLEAR  messages  using 
public  keys.  Figure  2.22  is  an  example  of  a  MIC-ONLY  message.  MIC- 
ONLY  messages  encode  their  messages  as  described  in  Section  2.1.  MIC- 
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- BEGIN  PRIVACY-ENHANCED  MESSAGE - 

Proc-Type:  4, ENCRYPTED 
Content-Domain:  RFC822 
DEK- Inf o ;  DES-CBC , BFF968AA74691 ACl 
Originator-Certificate : 

MIIBlTCCAScCAWUHDQYJKoZIhvcNAQECBQAHUTELHAkGAlUEBhHCVVMxIDAeBgNV 

BAoTFlJTQSBEYXRhIFNlY3VyaXR5LCBJbmHuHQ8BDQYDVQQLEHZCZXRhIDExDzAN 

BgNVBAsTBk5PVEFSHTAeFB05HTA5HDQx0DH4HTdaFH05HzA5HDHx0DH4HTZaHEUx 

CzAJBgNVBAYTAlVTHSABHgYDVqqKExdSUOEgRGFOYSBTZWHlcmlOeSBgSWSjLjEU 

HBIGAlUEAxHLVGVzdCBVc2VyIDEBHTAKBgRVCAEBAgICAANLADBIAkEABHZH17i+ 

yJcqDtjJCoBzTdBJrdAiLAnSC+Cnnj0JELyuqiBgkGrgIh3j8/x0fH+YrsyFlu3F 

LZPVtzlndhYFjqiDAqABHA0aCSqGSIb3DqEBAgUAAlkACKr0PqphJYBlj+YPtcIq 

iWlFPuN5jJ79Khfg7ASFxskYkEHjRNZV/HZDZqEhtVaU7Jxfzs2BfX5byHp2X3U/ 

SXUXGx7qusDgHqGs7Jk9W8CWlfuSHUgN4w== 

Key-Info:  RSA, 

I3rRIGXtJGHAF8js5BCzRTkdh034PTHdRZY9TuvmO3H+HH7fx6qc5udixps2LngO+ 

BGrtiUm/ovtKdinz6Zq/aq== 

Issuer-Certificate : 

HIIB3DCCAUgCAqoBDqYJKoZIhvcNAQECBqABTzELHAkGAlUEBhHCVVHxIDAeBgHV 
BAoTFlJTqSBEYXRhIFNlY3VyaXR5LCBJbi»HuHq8BDqYDVqqLEBZCZXRhIDExDTAL 
BgNVBAsTBFRHqOEBHhcNOTEBaTAxMDgBHDABHhcNOTlBDTAxHDclOTUSWjBRHqsB 
CqYDVqqGEBJVUzEgHB4GAlUEChHXUlNBIERhdGEgU2VjdXJpdHksIEluYy4xDzAN 
BgNVBAsTBkJldGEgMTEPHA0GAlUECxHGTk9UqVJZHHABCgYEVqgBAqiCArBDYgAB 
XBJYCsnp6iqCxYykN10DBUtF/jHJ3kL+3PjYyH0Bk+/9rLg6X65B/LD4bJHt05XW 
cqAz/7R7XhjYCmOPcqbdzoACZtIlETrKrcJiDYoP+DkZ8klgCk7hqHpblBlDAqAB 
HA0GCSqGSIb3DqEBAgUAA38AAICPv4f9Gx/tY4+p+4DB7HV+tKZnvBoy8zgoHG0x 
dD2jHZ/3HsyUKWgSF0eH/AJB3qr9zosG47pyHnTf3aSy2nBD7CMxpUVRBcXUpE+x 
EREZd9++32ofGBIXaialn0gVUn00zSYgugiq077nJLDUj0hqehCizEs5BUJ35a5h 
MIC-Info:  RSA-MD5,RSA, 

UdFJR8u/TIGhfH65ieeBe210W4tooa3vZCvVNGBZirf/7nrgzUDABz8B9NsXSexv 
AjRFbHoNPzBuxBra0AFeA0HJszL4yBvhG 
Recipient-ID-Asymmetric : 

MFExCzAJBgNVBAYTAlVTHSABHgYDVQQKExdSUOEgRGFOYSBTZHNlcmlOeSBgSHSj 

LjEPHAOGAlUECxHGqmVOYSAxHq8BDqYDVqQLEBZOTlRBUlk=, 

66 

Key-Info:  RSA, 

06BSlBB9CTyHPtS3bHLD+LOhejdvX6qvlHK2ds2sqPEaXhX8EhvVphHYTjBekdWv 
7xOZ3 Jx2vTAhOYHMcqqCj  A== 

qeWlj/YJ2Uf5ng9yznPbtD0mYloSBluV9FRYx+gzY+8iXd/NqrXHfi6/HhPfPF3d 

jIqCJAxvld2xgqqiraUzoSla4r7kqq5c/Iua4LqKeq3ciFzEv/MbZhA== 

- END  PRIVACY-ENHANCED  MESSAGE - 


Figure  2.16  Example  ENCRYPTED  Message  (Public  Key  Case) 
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private  key 
of  Originator 


encrypted 

MIC 


Figure  2.17  Processing  of  PEM  message  on  sender  side:  ENCRYPTED 


Table  2.4  MIC-ONLY  or  MIC-CLEAR  Public  Key  Format 


- BECIH  PRIVAC'Y-EJHAHCED  lESSAGE . 

pre-encapsulation  boundary 

Pioc-Type:  4.  IIC-DSLTt  or  IIC-CLEAR 

type  of  PEM  message  (version, type) 

Content -Doiuin:  RFC833 

sender’s  encoded  certificate  (optional) 

Origiititor-ID -Asymmetric;  cybercrud, number 

sender  ID 

(present  only  if  sender’s  certificate  not  present) 

Issuex-Certil icite;  cybercrud 

sequence  of  zero  or  more  CA  certificates 

(possibly  whole  chain  from  the  sender’s 
certificate  to  the  IPRA’s) 

IlC-Inlo;  RSA-IDa:,RSA,  cybercrud 

message  digest  algorithm,  message  digest 
encryption  algorithm,  encoded  encrypted  MIC 

Blank  line 

message 

- EFD  PRIYACY-EIHAICED  lESSAGE . 

post-encapsulation  boundary  | 

CLEAR  messages  do  not  use  encoding. 


Secret  Key  Variant 

Table  2.5  shows  the  format  of  MIC-ONLY  and  MIC-CLEAR  messages  using 
secret  keys.  MIC-ONLY  messages  have  their  message  contents  encoded  as 
described  in  Section  2.1.  MIC-CLEAR  messages  do  not  use  encoding. 
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(Recipient-ID-Asymmetric  field, 
known  to  the  recipient) 


*;  calculated  value 


□ 

o 


;  value  retrieved  from  received  PEM  message 
:  derived  from  retrieved  value 


Figure  2.18  Processing  of  PEM  message  on  receiver  side  -  Retrieve  DEK: 

ENCRYPTED 

2.4.3  CRL-RETRIEVAL-REQUEST 


Table  2.6  gives  the  format  of  a  CRL-RETRIEVAL-REQUEST  message. 
Figure  2.23  is  an  example  from  RFC  1421  of  such  a  request. 


2.4.4  CRL 


Table  2.7  gives  the  format  for  CRL  messages.  Figures  2.24  and  2.25  illus¬ 
trate  CRL  storage  request  and  retrieval  reply  messages. 
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Table  2.5  MIC-ONLY  and  MIC-CLEAR  Secret  Key  Format 


- BEGII  PRIYACY-imiCED  lESSAGE . 

pre-encapsulation  boundary 

Proc-Type;  4,  EICRYPTED 

type  of  PEM  message  (version, type) 

Content-Doniin:  HFC322 

message  form 

Driginitoi-ID-Syiimotxic:  entity  identifier, 

issuing  authority,  version/expiration 

sender  ID 

Recipient-ID-Syiimietiic;  entity  identifier 
issuing  authority,  version/expiration 
Egy-Inio:  RSA,  cybercrud 

For  each  recipient: 

recipient  ID;  key-info  for  recipient 

Blank  line 

message 

message  (encoded  if  MIC-ONLY) 

- EHD  PBIYACY-EIHAICED  lESSAGE . 

post-encapsulation  boundary 

Table  2.6  CRL-RETRIEVAL-REQUEST  Format 


- BE&II  PRIYACY-EFHAFCEB  lESSA&E . 

pre-encapsulation  boundary 

Pxoc-Type:  4,CRL-RETRIEVAL-REqTrEST 

type  of  PEM  message  (version, type) 

Issuer;  cybercrud 

for  each  CRL  requested: 

the  encoded  X.500  name  of  the  issuing  CA 

- EFD  PRIYACY-EFHAFCEB  HESSAGE . 

post-encapsulation  boundary 

Table  2.7  CRL  Format 


- BEGIF  PRIYACY-EFHAFCEB  lESSAGE . 

pre-encapsulation  boundary 

Proc-Yype:  4, CRL 

type  of  PEM  message  (version, type) 

CRL;  cybercrud 

Driginitox-Cextii icite:  cybercrud 

For  each  CRL  retrieved: 

encoded  X.509  format  CRL;  encoded 

X.509  certificate  of  the  CA  that  issued  the  CRL 

- EFB  PRIYACY-EFHAFCEB  lESSAGE . 

post-encapsulation  boundary 
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DEK» 


*:  calculated  value 


value 


retrieved  from  received  PEM  message 


Figure  2.19  Processing  of  PEM  message  on  receiver  side  -  Retrieve  plain¬ 
text  message  and  MIC:  ENCRYPTED 


2.5  Privacy  in  PEM 


The  cryptographic  algorithms,  modes,  and  identifiers  for  PEM  are  defined 
in  RFC  1423,  [1]  along  with  the  content  description  in  RFC  1421,  [9].  The 
structural  definition  in  BNF  form  appears  in  Figure  2.15. 

The  cryptographic  functions  used  in  PEM  are: 

•  DES-CBC  -  {Data  Encryption  Standard  Cipher  Block  Chaining)  for 
secret  key  encryption  of  messages. 

•  DES-EDE  -  {DES  encrypt-decrypt-encrypt)  for  secret  key  encryption 
of  DEKs. 
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(Originator-ID  or  Originator-Certificate  field) 


(algorithm:  MIC_info  field,  niessage_digest_encryption_a]gorithm 

message_digest„algorithm  subfield)  subfield) 


*:  calculated  value 


retrieved  from  received  PEM  message 


Figure  2.20  Processing  of  PEM  message  on  receiver  side  -  Verify  digital 
signature;  ENCRYPTED 

•  DES-ECB  -  [DES  electronic  code  book)  for  secret  key  encryption  of 
DEKs. 

•  RSA  -  {Rivest,  Shamir,  and  Adleman)  for  public  key  encryption  of 
DEKs  and  signatures. 

•  RSA-MD2  -  [RSA  message  digest  2)  for  secret  key  computation  of 
message  integrity  codes. 

•  RSA-MD5  -  {RSA  message  digest  5)  for  secret  key  computation  of 
message  integrity  codes. 


2.6  Authentication  in  PEM 

2.6.1  Certificates 

Authentication  in  PEM  is  done  using  certificates.  Certificates  are  data 
structures  which  contain  the  public  information  of  users.  This  public  infor¬ 
mation  includes: 
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- BEGIH  PRIVACY-ENHABCED  MESSAGE - 

Proc-Type:  4, ENCRYPTED 
Content-Domain:  RFC822 
DEK-Info :  DES-CBC,F8143EDE5960C597 

Qriginator-ID-Symmetric :  linn@zendia.enet.dec.com, , 
Recipient-ID-Symmetric :  linn@zendia.enet .dec .com,ptf-kmc ,3 
Key-Info :  DES-ECB , RSA-MD2 ,9FD3AAD2F2691B9A , 
B70665BB9BF7CBCDA60195DB94F727D3 
Recipient-ID-Symmetric :  pem-dev@tis.com,ptf-kmc ,4 
Key-Inf o :  DES-ECB , RSA-HD2 , 161 A3F7SDC82EF26 , 
E2EF532C65CBCFF79F83A2658132DB47 

LLrHB0eJzyhP+/fSStdW8okeEnv47jxe7SJ/iN72ohNcUk2jHEUSoHlnvHSIWL9H 

8tEjmF/zxB+bATHtPjCUWbz8Lr9HloXIkjHUlBLpvXR0UrUzYbkHpk0agV2IzUpk 

J6UiRRGcDSvzrsoK+oHvqu6z7Xs5Xfz5rDqUcHlKlZ6720dcBWGGsDLpTpSCnpot 

dXd/HSLHDWnonNvPCH(JUHt== 

- END  PRIVACY-ENHANCED  MESSAGE - 


Figure  2.21  Example  ENCRYPTED  Message  (Secret  Key  Case) 


•  User  name. 

•  Public  key. 

•  Name  of  issuer  which  vouches  for  information. 

•  Time  interval  over  which  data  are  valid. 

RFC  1422  describes  the  key  management  architecture  for  public-key  cer¬ 
tificates.  RFC  1422  and  [2]  define  the  certificate  format  as  shown  in  Figure 
2.26. 

The  integrity  of  a  certificate  is  checked  by  verifying  the  signature  in  the 
encrypted  field  against  the  certificate  with  the  public  key  of  the  issuer  of 
the  certificate. 

The  authenticity  of  a  certificate  is  checked  by  seeing  if  there  is  a  path 
leading  from  the  issuer  back  to  the  root  certificate  authority. 

2.6.2  Certificate  Hierarchy 

User  certificates  are  the  leaves  in  a  tree  with  the  root  certificate  author¬ 
ity,  the  Internet  Policy  Registration  Authority  (IPRA).  The  IPRA  certifies 
other  certification  authorities.  These  are  known  as  Policy  Certification  Au¬ 
thorities  (PC As).  [2]  lists  three  types  of  PCAs: 
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- BEGIH  PRIVACY-EHHANCED  MESSAGE - 

Proc-Type:  4,HIC-01ILY 
Content-Domain:  RFC822 
Originator-Certificate : 

HIIBlTCCAScCAWUBDqYJKoZIhvcBAQECBQAHUTELHAkGAlUEBhHCVVHxIDAeBgHV 
BAoTFlJTqSBEYXRhlFlflYSVyaXRSLCBJbmHuHqSHDqYDVqQLEBZCZXRhlDExDzAII 
BgHVBAsTBk5PVEFSWTAeFB05HTA5HDqxODH4HTdaFB05H2A5HDHxODH4HTZaHEUx 
CzAJBgHVBAYTAlVTHSABHgYDVqqKExdSOOEgRGFOYSBTZWHlcmlOeSBgSWSjLjEU 
MBIGAlUEAxHLVGVzdCBVc2VyIDEBWTAKBgRVCAEBAgICAAHLADBIAkEABHZH17i+ 
yJcqDt j JCoBzTdBJrdAiLAnSC+CnnjOJELyuqiBgkGrgIh3j8/xOfH+YrsyFlu3F 
LZPVtzlndhYFJqiDAqABHA0GCSqGSIb3DqEBAgUAAlkACKr0PqphJYBlj+YPtcIq 
iWlFPuH5jJ79Khfg7ASFxskykEHjRHZV/HZDZqEhtVaU7Jxfzs2BfX5byHp2X3U/ 
5XUXGx7qusDgHqGs7Jk9W8CWlfuSWUgH4B== 

Issuer-Certificate : 

MIIB3DCCAUgCAqoBDqYJKoZIhvcirAqECBqABTzELHAkGAlUEBhHCVVHxIDAeBgIIV 

BAoTFlJTqSBEYXRhlFiriYSVyaXRSLCBJbmHuHqSBDqYDVqqLEBZCZXRhlDExDTAL 

BgHVBAsTBFRHqOEBHhcHOTEBOTAxHDgBMDABHhcHOTlBOTAxHDclOTUSWjBRHqsB 

CqYDVqqGEBJVUzEgHB4GAlUEChHXUlIIBIERhdGEgU2VjdXJpdHksIEluYy4xDzAB 

BgHVBAsTBkJldGEgHTEPHA0GAlUECxHGTk9UqVJZHHABCgYEVqgBAqiCArBDYgAB 

XBJYCsnp6iqCxYykB10DBUtF/jHJ3kL+3PjYyHOBk+/9rLg6X65B/LD4bJHt05XW 

cqAz/7R7XhjYCmOPcqbdzoACZtIlETrKrcJiDYoP+DkZ8klgCk7hqHpblBlDAqAB 

HA0GCSqGSIb3DqEBAgUAA38AAICPv4f9Gx/tY4+p+4DB7HV+tKZnvBoy82goHG0x 

dD2jHZ/3HsyWKWgSF0eH/AJB3qr9zosG47pyHnTf3aSy2nB07CHxpUWRBcXUpE+x 

EREZd9++32ofGBIXaialn0gVUnO0zSYgugiq077nJLDUj0hqehCizEs5BUJ35a5h 

HIC-Info:  RSA-HD5,RSA, 

jV20fH+nnXHU8bnL8kPAad/mSqiTDZlbVuxvZA0VRZ5q5+Ejl5bqvqHeq0UHqjr6 

EtE7K2qDeVMCyXsdJlA8fA== 

LSBBIGllc3HhZ2UgZm9yIHVzZSBpbiBOZXHOaW5nLgOKLSBGb2xsb3dpbmcgaXHg 

YSBibGFuayBsaW510g0KDqpUaGlzIGlzIHRoZSBlbmquDqo= 

- EFD  PRIVACY-ENHABCED  MESSAGE - 


Figure  2.22  Example  MIC-ONLY  Message  (Public  Key  Case) 


To:  cert-service@ca, domain 
From:  requestorShost .domain 

- BEGIH  PRIVACY-EHHAHCED  MESSAGE - 

Proc-Type :  4 ,CRL-RETRIEVAL-REqUEST 

Issuer:  <issuer  Bhose  latest  CRL  is  to  be  retrieved> 

Issuer:  <another  issuer  Bhose  latest  CEL  is  to  be  retrieved> 
- EHD  PRIVACY-EHHAHCED  MESSAGE - 


Figure  2.23  Example  CRL-RETRIEVAL-REQUEST  Message 
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To:  cert“service@ca. domain 
From:  requestorShost .domain 

- BEGIN  PRIVACY-ENHANCED  MESSAGE - 

Proc-Type:  4,CRL 
CRL:  <CRL  to  be  stored> 

Originator-Certificate:  <CRL  issuer’s  certificate> 

CRL:  <another  CRL  to  be  stored> 

Originator-Certificate:  <other  CRL  issuer’s  certificate> 
- END  PRIVACY-ENHANCED  MESSAGE - 


Figure  2.24  Example  CRL  Storage  Request 


To:  requestor<9host  .domain 
From:  cert-service@ca. domain 

- BEGIN  PRIVACY-ENHANCED  MESSAGE - 

Proc-Type:  4, CRL 

CRL:  Cissuer’s  latest  CRL> 

Originator-Certificate:  <issuer’s  certificate> 

CRL:  <other  issuer’s  latest  CRL> 

Originator-Certificate:  <other  issuer’s  certificate> 
- END  PRIVACY-ENHANCED  MESSAGE - 


Figure  2.25  Example  CRL  Retrieval  Reply 
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The  X.509  certificate  format  is  defined  by  the  following  ASH.l 
syntax: 

Certificate  :;=  SIGHED  SEqUEHCE{ 

version  [0]  Version  DEFAULT  vl988, 

serialHumber  Certif icateSerialHumber , 

signature  Algorithmldentif ier , 

issuer  Hame, 

validity  Validity, 

subject  Hame, 

subjectPublicKeyInfo  Sub jectPublicKey Info, 

issuerUniqueldentifier  Optional  (permitted  in  version  2  only) , 
subjectUniqueldentifier  Optional  (permitted  in  version  2  only) , 
algorithmidentifier  repeat  of  signature  field 

encrypted  signature  on  all  but  last  of  above  fields} 

Version  : :=  IHTEGER  {vl988(0)> 

CertificateSerialHumber  : ;=  IHTEGER 

Validity  :;=  SEqUEHCE-( 

notBef ore  UTCTime , 

notAfter  UTCTime} 

SubjectPublicKeyInfo  : :=  SEqUEHCE{ 

algorithm  Algorithmidentifier, 

subjectPublicKey  BIT  STRIHG} 

Algorithmidentifier  : :=  SEqUEHCE{ 

algorithm  OBJECT  IDEHTIFIER, 

parameters  AHY  DEFIHED  BY  algorithm  DPTIOHAL} 

The  components  of  this  structure  are  defined  by  ASH.l  syntax  defined 
in  the  X.500  Series  Recommendations.  RFC  1423  provides  references 
for  and  the  values  of  Algorithmidentifiers  used  by  PEH  in  the 
subjectPublicKeyInfo  and  the  signature  data  items.  It  also  describes 
how  a  signature  is  generated  and  the  results  represented.  Because 
the  certificate  is  a  signed  data  object,  the  distinguished  encoding 
rules  (see  X.509,  section  8.7)  must  be  applied  prior  to  signing. 


Figure  2.26  Certificate  Syntax 
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PCAs 

various  organizations' 
CAS 

individuals  or  CAs 


Figure  2.27  PEM  Certificate  Hierarchy 


•  High  Assurance  Certification  Authorities  (HACAs).  HACAs  will 
not  grant  a  certificate  to  organizations  unless  they  are  also  highly 
assured. 

•  Discretionary  Assurance  Certification  Authorities  (DACAs).  DA- 
CAs  do  not  impose  constraints  on  organizations  they  certify  except 
to  ensure  that  organizations  are  who  they  say  they  are. 

•  No  Assurance  Certification  Authorities  (NACAs).  NACAs  have  no 
constraints  except  they  cannot  issue  two  certificates  with  the  same 
name.  No  assurance  is  given  that  the  organizations  or  people  they 
certify  are  using  their  real  identities. 

Figure  2.27  illustrates  the  certification  tree  hierarchy. 

2.6.3  Certificate  Revocation  Lists 

A  certificate  revocation  list  (CRL)  is  a  list  of  serial  numbers  of  certificates 
that  are  invalid,  much  like  a  listing  of  bad  credit  cards.  CRLs  are  updated 
periodically,  so  they  also  include  the  period  of  time  they  cover. 

Figure  2.28  shows  the  CRL  syntax  as  specified  by  RFC  1422. 


2.7  Integrity  in  PEM 


Integrity  is  maintained  by  either  message  integrity  codes  or  digital  signa¬ 
tures.  Both  are  denoted  as  MICs  in  this  report.  MICs  are  computed  for  the 
message  and  included  as  part  of  the  header.  In  secret  key  variant,  recipients 
of  the  message  compute  the  MIC  for  the  message  they  receive  and  compare 
it  to  the  MIC  sent  in  the  header.  If  the  MICs  match,  then  the  message  was 
unaltered  (see  Figure  2.8). 
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The  following  ASB.l  syntax,  derived  from  X.509  and  aligned  with  the 
suggested  format  in  recently  submitted  defect  reports,  defines  the 
format  of  CRLs  for  use  in  the  PEH  environment . 

CertificateRevocationList  : :=  SIGHED  SEQUEHCE{ 
signature  Algorithmidentif ier , 

issuer  Hame, 

lastUpdate  UTCTime, 

nextUpdate  UTCTime, 

revokedCertificates 

SEQUENCE  OF  CRLEntry  OPTIONAL} 

CRLEntry  ::=  SEQUENCE{ 

userCertif icate  SerialNumber , 
revocationDate  UTCTime} 


Figure  2.28  Certificate  Revocation  List  Syntax 

In  public  key  variant,  recipients  of  the  message  compute  the  message 
digest  of  the  message  they  receive,  and  verify  the  MIC  sent  in  the  header 
against  the  computed  message  digest  with  sender’s  public  key.  If  it  succeeds, 
the  message  was  unaltered  (see  Figures  2.9  and  2.20). 

CRLs  and  certificates  are  signed.  The  signature  of  a  CRL  or  certificate 
is  included  so  the  recipient  can  validate  the  CRL  or  certificate  against  the 
signature  which  was  sent. 


2.8  Non-repudiation  in  PEM 


When  public-keys  are  used,  signatures  provide  non-repudiation  as  only  the 
originator  could  have  created  the  signature  of  a  message,  MIC,  CRL,  or 
certificate. 
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Chapter  3 

PEM  in  Higher-Order 
Logic 


In  this  chapter,  we  show  the  development  of  all  the  security  functions  that 
are  needed  to  address  the  security  issues  raised  before:  privacy,  authenti¬ 
cation,  integrity,  and  non-repudiation.  The  development  is  done  in  higher 
order  logic  using  the  HOL  system,  [5].  Standard  predicate  calculus  nota¬ 
tion  is  used,  A,V,-',D  denote  and,  or,  negation,  and  implication.  V  and  3 
denote  for  all  and  there  exists,  cond  — »•  ii\t2  denotes  if  cond  is  true  then 
ti  else  <2’  r  h  t  denotes  a  theorem,  i.e.  whenever  the  list  of  logical  terms 
in  r  are  all  true,  then  the  conclusion  t  is  guaranteed  to  be  true.  The  logi¬ 
cal  development  presented  in  this  paper  is  a  conservative  extension  of  the 
HOL  logic,  i.e.  no  axioms  were  used  and  the  underlying  definitions  are 
guaranteed  to  be  consistent.  Definitional  extensions  to  HOL  are  denoted 
by  \-def- 


3.1  Security  Functions  in  HOL 


Throughout  this  report,  we  identify  a  person  by  his/her  keys.  In  public 
key  cryptography,  the  person  is  identified  by  public  key  which  is  known  to 
everyone.  Since  a  private  key  belongs  to  only  one  owner,  the  corresponding 
public  key  uniquely  identifies  a  person.  In  secret  key  cryptography,  two 
or  more  people  who  share  a  secret  key  are  identified  by  that  secret;  a  key 
uniquely  identifies  the  group  who  shares  it. 


3.1.1  Privacy 

Function  is_Private  checks  the  privacy  property  of  a  mail  message.  It 
declares  the  message  as  private  if  the  decrypted  received  message  matches 
that  of  the  original  plaintext. 
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Since  both  secret  key  encryption  and  public  key  encryption  are  used 
to  protect  the  privacy  of  messages,  two  variants  of  is_Private  are  given. 
The  difference  between  isJPrivateS  for  secret  key  and  isJPrivateP  for 
public  key  is:  secret  key  encryption  takes  an  initial  vector  while  public  key 
encryption  does  not. 

is_PrivateS  has  parameters:  1)  decrypts  -  a  secret  key  decryption  func¬ 
tion,  2)  message  -  the  original  plaintext,  3)  rxmsg-  the  received  (encrypted) 
message,  4)  decryptIV-  initial  vector  for  decryption  and  5)  key  -  the  shared 
secret  key. 


is_PrivateS 

hj,/  VdecryptS  message  rxmsg  decryptIV  key. 

is.PrlvateS  decrypts  message  rxmsg  decryptIV  key  = 
decrypts  rxmsg  key  decryptIV  =  message 


is_PrivateP  has  parameters:  1)  decryptP  -  a  public  key  decryption 
function,  2)  message  -  the  original  plaintext,  3)  rxmsg  -  the  received  ci¬ 
phertext  and  4)  dkey  -  the  private  key  of  the  recipient 


is.PrivateP 

\-i,l  VdecryptP  message  rxmsg  dkey. 

is_PrivateP  decryptP  message  rxmsg  dkey  = 
decryptP  rxmsg  dkey  =  message 


is_Private  is  true  if  and  only  if  there  is  one  and  only  one  person  who 
can  read  the  original  message,  namely  the  intended  recipient. 

When  a  mail  message  satisfies  assumptions  listed  below,  the  correctness 
theorem  of  is_Private  can  be  proved  by  using  definitions  of  isJPrivateS 
and  is_PrivateP.  The  assumptions  are:  1)  The  received  message  is  the 
same  as  the  transmitted  message,  2)  the  transmitted  message  is  the  original 
message  encrypted  with  a  key  (either  a  shared  secret  key,  or  a  public  key), 
3)  for  any  encryption  key,  (in  either  secret  key  cryptography  or  public 
key  cryptography),  there  is  an  unique  decryption  key  which  can  be  used 
to  retrieve  the  original  text.  They  are  taken  as  antecedents  of  a  nested 
implication. 

Theorem  is_Private_DEK  is  the  privacy  property  of  the  DEK  used  in 
PEM  which  is  encrypted  with  the  recipient’s  public  key  and  is  retrieved 
using  the  recipient’s  private  key.  (See  Figure  2.18.) 
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is_Private_DEK 

h  VdecryptP  encryptP  message  txmsg  rxmsg  ekey  dKEYO  dkey. 

(rxmsg  =  txmsg)  3 

(txmsg  =  encryptP  message  ekey)  3 

(Vmsg.  decryptP  (encryptP  msg  ekey)  dKEYO  =  msg)  3 

(Vmsg  d2 . 

(decryptP  (encryptP  msg  ekey)  d2  =  msg)  3  (d2  =  dKEYO))  3 

((dkey  =r  dKEYO)  =  is.PrivateP  decryptP  message  rxmsg  dkey) 


Theorem  is_Privatejmsg  is  the  privacy  property  of  the  original  plain¬ 
text  message  in  PEM  which  is  retrieved  with  the  DEK.  Since  DEK  is  known 
only  to  the  intended  recipient,  as  proved  by  theorem  isJPrivateJDEK,  the 
confidentiality  of  the  message  is  preserved. 


is_Private_msg 

h  VdecryptS  encrypts  message  txmsg  rxmsg  decryptIV  KEYO  key. 

(rxmsg  =  txmsg)  3 

(txmsg  =  encrypts  message  KEYO  decryptIV)  3 
(Vmsg  key. 

(decrypts  (encrypts  msg  key  decryptIV)  key  decryptIV  =  msg)  A 
(Vmsg  keyl.  (decrypts  msg  keyl  decryptIV 

=  decrypts  msg  key  decryptIV)  =  key  =  keyl))  3 
((key  =  KEYO)  = 

is_PrivateS  decrypts  message  rxmsg  decryptIV  key) 


In  both  cases,  if  the  received  message  is  not  the  same  as  that  trans¬ 
mitted,  that  is,  either  the  data  exchange  key  (DEK)  is  modified  or  the 
encrypted  message  is  modified  over  the  net,  the  intended  recipient  of  the 
message  will  not  be  able  to  read  it.  The  plaintext  message  is  still  private 
since  nobody  else  can  retrieve  it,  but  the  recipient  encounters  a  denial-of- 
service  attack  here. 


3.1,2  Source  Authentication 

We  have  defined  source  authentication  in  two  ways.  If  verification  of  the 
signature  against  the  received  message  succeeds,  the  recipient  is  sure  of 
the  source  of  the  received  message.  In  is^uthentic,  the  signature  is 
verified  against  the  original  message.  In  isA.uthentic2,  the  MIC  (digital 
signature)  of  the  message  is  verified  against  the  hash  of  a  message. 

The  parameters  is_Authentic  takes  are:  1)  verify  -  public  key  signature 
verification  function,  2)  message  -  plaintext,  3)  signature  -  signature  of  the 
plaintext,  4)  ekey  -  signer’s  public  key. 
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is_Authentic 

h^ff  Vverify  message  signature  ekey. 

is_Authentic  verify  message  signature  ekey  = 
verify  message  signature  ekey 


The  parameters  is_Authentic2  takes  are;  1)  verify  -  public  key  signa¬ 
ture  verification  function,  2)  hash  -  message  digest  algorithm,  3)  message 
-  plaintext,  4)  mic  -  digital  signature  of  the  plaintext,  5)  ekey  -  signer’s 
public  key. 


is_Authentic2 

Vverify  hash  message  mic  ekey. 
is_Authentic2  verify  hash  message  mic  ekey  = 
verify  (hash  message)  mic  ekey 


The  desired  property  of  source  authentication  is  the  check  is  true  if  and 
only  if  the  originator  of  the  message  is  the  one  identified  by  the  public  key 
we  use  to  verify  the  signature. 

The  assumptions  we  made  on  source  authentication  are:  1)  the  received 
message  is  the  same  as  transmitted,  2)  the  transmitted  message  is  a  digital 
signature  of  plaintext,  3)  there  is  an  unique  private  key  dKEYO  associated 
with  a  signature  which  can  be  verified  through  the  corresponding  public 
key  ekey. 

In  the  following  theorem  it  is  proved  that  if  these  assumptions  are  sat¬ 
isfied,  the  originator  of  the  transmitted  plaintext  is  known  if  and  only  if  it 
passes  the  is_Authentic2  check. 


is_Authentic_msg 

H  Vverify  sign  hash  message  txraic  rxmic  ekey  dKEYO  dkey. 

(rxmic  =  txmic)  Z) 

(txmic  =  sign  (hash  message)  dkey)  D 

(Vml  m2  dkey2.  verify  ml  (sign  m2  dkey2)  ekey  =  dkey2  —  dKEYO) D 
((dkey  =  dKEYO)  =  is_Authentic2  verify  hash  message  rxmic  ekey) 


If  the  first  assumption  is  not  satisfied,  the  source  authentication  fails 
and  and  the  recipient  of  the  message  cannot  be  sure  of  the  source  of  the 
message. 
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not .Authentic 

h  Vverify  sign  hash  HESSAGEO  txmic  rxmic  ekey  dKEYO. 
(txmic  =  sign  (hash  HESSAGEO)  dKEYO)  D 
(Vml  m2,  verify  ml  m2  ekey  =  m2  =  sign  ml  dKEYO)  D 
(Vml  m2  dkeyl  dkey2.  (sign  ml  dkeyl  =  sign  m2  dkey2) 
3  (ml  =  m2)  A  (dkeyl  =  dkey2))  D 
-i(rxmic  =  txmic)  3 

-i(is_Authentic2  verify  hash  HESSAGEO  rxmic  ekey) 


3.1.3  Integrity 

is  Jntact  is  defined  for  message  integrity  checking.  It  takes  several  param¬ 
eters:  1)  verify  -  a  function  verifies  the  signature,  which  takes  a  plaintext 
message,  a  signature  and  a  key,  and  returns  true  if  the  signature  is  signed 
on  the  given  plaintext  with  the  private  key  paired  with  the  given  key,  oth¬ 
erwise,  it  returns  false.  2)  hash  -  the  message  digest  algorithm;  3)  message 
-  the  plaintext  part  of  the  message  retrieved  from  the  mail;  4)  ekey  -  the 
public  key  of  originator  used  by  the  recipient  to  verify  a  signature;  and  5) 
mic  -  the  received  digital  signature  of  the  message. 

It  declares  both  the  message  and  its  digital  signature  are  intact  if  the 
verification  of  the  digital  signature  of  the  original  message  against  the  hash 
of  the  received  message  succeeds.  The  definition  matches  the  scheme  shown 
in  Figure  2.9. 


is.Intact 

h/if  Vverify  hash  message  mic  ekey. 

is.Intact  verify  hash  message  mic  ekey  = 
verify  (hash  message)  mic  ekey 


The  assumptions  made  about  the  received  message  are:  1)  the  received 
signature  is  generated  by  signing  the  hash  (message  digest)  of  the  trans¬ 
mitted  message.  2)  it  is  computationally  infeasible  to  find  two  messages 
mi  and  m2  which  hash  to  the  same  value,  so  if  two  hashes  are  equal  the 
two  messages  are  the  same;  3)  the  verification  process  succeeds  if  and  only 
if  the  signature  is  generated  on  the  plaintext  that  is  being  verified. 

What  we  want  is  for  is  Jntact  to  be  true  is-and-only-if  the  received 
message  is  identical  to  the  one  transmitted.  Under  these  assumptions,  the 
correctness  theorem  is  proved  using  the  definition  of  is  Jntact  with  the 
assumed  properties  in  the  antecedent  of  the  nested  implication. 
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is_Intact_msg 

t-  Vverify  sign  hash  txraessage  rxmessage  txmic  rxmic  ekey  dkey. 
(txmic  =  sign  (hash  txmessage)  dkey)  3 
(rxmic  =  txmic)  3 

(Vml  m2,  (hash  ml  =  hash  m2)  3  (ml  =r  m2))  3 
(Vsl  s2.  verify  si  (sign  s2  dkey)  ekey  =r  si  =  s2)  3 
((rxmessage  =  txmessage) 

=  is_Intact  verify  hash  rxmessage  rxmic  ekey) 


When  the  received  MIC  is  not  the  same  as  the  one  sent  by  originator, 
the  following  theorem  proves  that  the  recipient  cannot  be  sure  the  integrity 
of  either  MIC  or  plaintext  message. 


not.Intact  = 

I-  Vverify  sign  hash  HESSAGEO  txmic  rxmic  ekey  dKEYO. 
(txmic  =  sign  (hash  HESSAGEO)  dKEYO)  3 
(Vml  m2,  verify  ml  m2  ekey  =  m2  =  sign  ml  dKEYO)  3 
(Vml  m2  dkeyl  dkey2.  (sign  ml  dkeyl  =  sign  m2  dkey2) 
3  (ml  =  m2)  A  (dkeyl  =  dkey2))  3 
-■(rxmic  =  txmic)  3 

-■(is.Intact  verify  hash  HESSAGEO  rxmic  ekey) 


3.1.4  Non-Repudiation 

is_non  JDeniable  is  the  security  check  of  the  non-repudiation  of  the  mes¬ 
sage  system.  It  checks  the  non-deniability  of  the  sender  of  the  message 
by  verifying  the  signature  against  the  received  plaintext.  It  has  following 
parameters:  1)  verify  -  public  key  signature  verification  function,  2)  mes¬ 
sage  -  original  plaintext,  3)  signature  -  signature  of  the  plaintext,  4)  ekey  - 
signer’s  public  key.  Since  both  source-authentication  and  non-repudiation 
of  a  message  is  obtained  through  its  signature,  is_non  JDeniable  is  defined 
in  the  same  way  as  is_A.uthentic. 


is_non_Deniable 

hii,f  Vverify  message  signature  ekey. 

is_non_Deniable  verify  message  signature  ekey  = 
verify  message  signature  ekey 


The  assumptions  we  made  for  checking  the  non-deniability  of  a  mes¬ 
sage  are:  1)  the  received  MIC  is  the  same  as  the  transmitted  MIC,  2)  the 
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transmitted  MIC  is  generated  by  the  originator  on  plaintext  MESSAGEO, 
3)  it  is  computationally  infeasible  to  find  two  messages  ml  and  m2  which 
hash  to  the  same  value,  so  if  two  hashes  are  equal  the  two  messages  are 
the  same.  4)  it  is  computationally  infeasible  to  find  two  messages  ml  and 
m2  and  two  private  keys  kl  and  k2,  which  can  generate  same  signature,  so 
if  we  can  verify  one  signature  against  a  message  with  a  public  key,  then 
the  private  key  and  the  plaintext  used  to  generate  signature  are  unique. 
If  the  above  assumptions  are  satisfied,  the  verification  process  succeeds  if 
and  only  if  the  signature  is  generated  on  the  plaintext  that  is  being  verified 
with  the  unique  private  key  that  is  known  only  to  the  signer.  This  scheme 
matches  that  shown  in  Figure  2.9. 

Under  the  above  assumptions,  the  non-repudiation  check  is  true  if  and 
only  if  the  received  message  is  generated  by  the  originator  whose  public  key 
is  ekey,  so  that  the  originator  cannot  deny  having  sent  the  message.  The 
correctness  theorem  is_non_Deniable-msg  is  proved  using  the  definition 
of  is_non  JDeniable. 


is  non_Deniable_msg 

1-  Vverify  sign  hash  message  MESSAGEO  txmic  rxmic  ekey  dKEYO  dkey. 
(rxmic  =  txmic)  3 

(txmic  =  sign  (hash  MESSAGED)  dkey)  D 
(Vml  m2 .  (hash  ml  =  hash  m2)  =  mi  =  m2)  3 
(Vml  m2  dkey2.  verify  ml  (sign  m2  dkey2)  ekey 
=  (ml  =  m2)  A  (dkey2  =  dKEYO))  3 
((dkey  =  dKEYO)  A  (message  =  MESSAGEO)  = 
is.non.Deniable  verify  (hash  message)  rxmic  ekey) 


When  the  received  MIC  is  not  the  same  as  transmitted  MIC,  then  the 
recipient  cannot  show  to  a  third  party  that  the  originator  has  indeed  sent 
the  message.  This  is  shown  in  the  theorem  follows. 


is^deniable  = 

h  Vverify  sign  hash  MESSAGEO  txmic  rxmic  ekey  dKEYO. 
(txmic  =  sign  (hash  MESSAGEO)  dKEYO)  3 
(Vml  m2 .  verify  ml  m2  ekey  =  m2  =  sign  ml  dKEYO)  3 
(Vml  m2  dkeyl  dkey2.  (sign  ml  dkeyl  =  sign  m2  dkey2) 
3  (ml  =  m2)  A  (dkeyl  =  dkey2))  3 
-i(rxmic  =  txmic)  3 

-i(is_non_deniable  verify  (hash  MESSAGEO)  rxmic  ekey) 


The  definitions  and  properties  developed  in  this  section  are  independent 
of  any  particular  implementation.  What  we  must  do  is  link  the  particular 
implementation  to  the  general  definitions  and  properties.  For  this  we  must 
define  the  structure  of  PEM  messages  in  detail. 
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3.2  Message  Structure  in  HOL 


Each  PEM  message  type  has  public  key  variant  and  private  key  variant. 
In  this  section,  only  the  public  key  variant  will  be  discussed,  since  it  is 
the  only  one  in  use.  Also,  some  PEM  messages  are  encoded  to  avoid  the 
“mailer  mangling”  problem.  Encoding  is  not  discussed  here  as  it  does  not 
contribute  to  the  security  services  we  are  concerned  with  in  this  report. 

As  an  example,  we  discuss  the  structure  of  MIC-CLEAR  messages  using 
public-key  signature  algorithms.  Table  2.4  shows  the  format  of  MIC-ONLY 
and  MIC-CLEAR  messages  using  public  keys.  Figure  2.22  is  an  example 
of  a  MIC-ONLY  message.  MIC-ONLY  messages  encode  their  messages  to 
avoid  mailer  problems.  MIC-CLEAR  messages  do  not  use  encoding. 

MIC-CLEAR  messages  are  8-iuples:  (preebxproctype  x contentdomain  x 
id.asymmetricx(certificate)UstxMICJnfoxpemtextxposteb)  as  shown 
in  Table  2.4.  However,  not  all  8-tuples  are  valid  MIC-CLEAR  messages. 
When  a  proper  subset  of  possible  representations  is  identified  as  a  new  type, 
reasoning  about  messages  is  simplified  because  only  valid  representations 
are  considered.  The  next  section  briefly  illustrates  the  concepts  of  defining 
new  types  in  HOL. 


3.2.1  Type  Definition  in  HOL 

New  types  are  introduced  in  HOL  by  identifying  a  subset  of  an  existing 
type  whose  properties  correspond  to  the  properties  of  the  new  type,  [11]. 
Isomorphic  (one-to-one  and  onto)  mappings  between  elements  of  the  new 
type  and  elements  of  the  subset  of  the  existing  type  are  defined.  One 
mapping  is  the  representation  of  the  new  type  in  terms  of  the  existing  type. 
The  other  is  the  abstraction  of  the  existing  type  into  the  new  type. 

For  example,  say  we  wish  to  introduce  the  type  color  which  has  only 
two  members,  black  and  white.  In  BNF,  we  write: 

color  ::=  black  \  white  (3-1) 

Suppose  we  choose  to  represent  colorhy  the  cartesian  product  boolxbool. 
There  are  four  elements  in  bool  x  bool  but  only  two  are  needed.  We  choose 
to  represent  black  as  {T,F)  and  white  as  {F,T)  as  shown  in  Figure  3.1. 

Defining  new  types  in  HOL  is  a  three-step  process.  The  first  step  finds 
an  appropriate  subset  of  an  existing  type  to  represent  the  new  type.  The 
second  step  extends  the  syntax  of  HOL  to  include  the  new  type  by  using 
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^  -s 

New  Tvpe:  color 

Existine  Tvoe:  (bool  x  bool) 

black  - 

(T.T) 

white  - 

-\*(F.T)  J  (F.F) 

J 

Figure  3.1  Defining  Type  color 


a  type  definition  axiom  which  defines  the  relationship  between  the  new 
type  and  its  representation.  Finally,  from  the  type  definition  axiom,  the 
properties  of  the  new  type  are  derived. 

In  our  example,  the  valid  representation  of  boolean  pairs  is  defined  by 
is.Color. 


is.Color  {x,y)  =  {(x,y)  =  (T,F)  V  {x,y)  =  (F,  T)) 


(3.2) 


As  there  is  at  least  one  value  of  {x,  y)  which  satisfies  is.Color,  the  follow¬ 
ing  type  definition  axiom  holds  which  states  that  there  is  a  representation 
function  rep  which  is  isomorphic  between  black  and  white  and  (T,  F)  and 
(F,T). 


h  3  rep  :  color  —*■  (bool  X  bool). 

(Vai  02  .rep  oj  =  rep  02  D  a;  =  02)  A 

(Vr  :  (bool  X  bool). is. Color  r  =  (3a  :  color.r  —  rep  o)) 


A  valid  representation  function  for  color  is  any  function  which  has  the 
isomorphic  properties  defined  above. 

We  refer  to  objects  having  a  property  P  with  Hilbert’s  e-operator,  [11]. 
The  semantics  of  e  are  given  below. 

h  VF.(3i.P  x)  D  P(ex.P  x)  (3.4) 

For  example,  if  P  a:  were  1  <  a;  <  4  where  a;  is  a  natural  number,  ex.P  x 
would  be  either  2  or  3  and  P{ex.P  x)  is  true. 

We  define  the  representation  and  abstraction  functions  REP.color  and 
ABS.color  as  follows. 
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TYPEJDEF  P  rep  = 

(Vai  a2.rep  aj  =  rep  02  D  ai  =  02)  A 
(Vr.P  r  =  (3a  ;  color.r  —  rep  a)) 

REP^olor  =  erep.TYPEJDEF  is-Color  rep 
ABS^olor  r  =  (ea.r  =  REP^color  a) 


(3.5) 


(3.6) 

(3.7) 


REP.color  is  any  function  satisfying  the  one-to-one  and  onto  properties 
of  TYPE.DEF.  ABS.color  rreturns  a  color  whose  representation  is  r.  Given 
the  associations  in  Figure  3.1  we  define  black  and  white  as  follows. 


black  =  ABS. color  (T,F) 
white  =  ABS. color  (F,T) 


(3.8) 

(3.9) 


Given  the  definitions  of  TYPE.DEF,  REP.color,  the  semantics  of  e, 
and  ABS.color,  the  following  properties  are  easily  proved.  These  properties 
state  that  REP.color  is  one-to-one  and  onto;  ABS.color  is  one-to-one  and 
onto  within  the  constraints  of  is.Golor',  and  REP.color  eiud  ABS.color  iuvQvt 
each  other. 


h  Vai  a2 . 

(3.10) 

REP-color  ai  =  REP  -color  02  D  (aj  =  a2) 

t-  Vr.is.Color  r  =  (3a. r  =  REP.color  a) 

(3.11) 

f-  Vrj  r2-is.Color  ri  0  (is.Golor  r2  D 

(3.12) 

{ABS^olor  r\  =  ABSjzolor  r2  3  rj  =  7*2)) 

h  Va.3r.(a  =  ABS.r)  A  is.Golor  r 

(3.13) 

1-  Ya.ABSj^olorlREPjcolor  a)  =  a 

(3.14) 

h  Yr. is.Golor  r  =  (RE P^lor (ABS .color  r)  =  r) 

(3.15) 

The  same  techniques  used  to  define  color  are  generally  applicable.  In 
the  next  section,  we  show  how  to  apply  type  definition  techniques  to  the 
message  integrity  code  field  of  messages. 
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3.2.2  MICJnfo  as  a  Type 

We  focus  on  the  MICJnfo  portion  of  a  message.  Figure  2.13  gives  the  BNF 
definition  of  <niicinf  o>.  It  is  a  3-tuple  where  the  first  element  identifies  the 
hash  function  used  to  compute  the  MIC;  the  second  element  is  the  signature 
algorithm  used  to  encrypt  the  MIC;  and  the  third  element  is  the  signed 
message  digest  for  the  transmitted  message.  The  particular  algorithms  are 
defined  in  Figure  2.15. 

As  some  of  the  algorithms  (like  RSA)  are  used  in  more  than  one  capacity, 
we  first  introduce  the  algorithm  identifiers  as  a  separate  abstract  type  - 
algid,  i.e.  we  do  not  care  about  how  the  members  of  the  type  are  actually 
represented. 


algid  ::=  DES.CBC\DES^DE\DESJECB\  (3.16) 

RSA\RSAJiD2\RSAMD5 


Valid  MICJnfo  fields  are  a  proper  subset  of  all  3-tuples  of  {algid  x  algid  X 
asymsignmic)  The  predicate  is-MiCJnfo  identifies  the  valid  3-tuples  for 
MICJnfo.  Note,  F5T  and  SND  are  destructors  for  pairs,  e.g.  FST  (a,b,c) 
=  a  and  SND  (a,b,c)  =  (b,c). 


isJvIIC.injo  X  =  (3-17) 

{{FST  X  =  RSAJJD2)  V 
{FST  X  =  RSAJTDS))  A 
{{FST{SND  x)  =  DESJtDE)  V 
{FST{SND  s)  =  DESJiCB)  V 
{FST{SND  x)  =  RSA)) 


From  the  definition  of  is-MICJnfo  we  can  prove  the  theorem  h  3x.zs_- 
MlCJnfo  X  which  allows  us  to  introduce  a  new  type  MICJnfo  as  follows. 

h  Srep.TYPEJDEF  is-MICJnfo  rep  (3.18) 

Using  the  above  type  definition  axiom,  we  define  the  representation 
function  REP-MICJnfo  and  the  abstraction  function  MICJnfo  as  follows, 
(notice  that  the  abstraction  function  is  the  same  name  as  the  MIC-info  field 
identifier). 
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getJ/IIC-sigalgid  x  =  FST(SND{REP -MlCJnfo  x))  (3.28) 

getMICjmic  x  =  SND{SND(REPJ^ICJnfo  x))  (3-29) 

Based  on  the  above  characterization  of  MlCJnfo  as  a  type,  any  x  which 
is  a  member  of  MlC.info  has  a  valid  representation  as  a  3-tuple  {algid  x 
algid  x  asymsignmic) .  This  is  stated  by  the  following  theorem. 

h  'ix.isM IC -inf  o{REPMIC. info  x) 

The  above  theorem  coupled  with  the  definition  of  is.MICJnfo  leads 
to  the  following  correctness  properties  of  the  hash  and  signature  accessor 
functions.  In  particular,  each  accessor  function  when  applied  to  a  valid 
MlCJnfo  field  will  yield  only  the  specified  hash  and  signature  algorithms. 


1-  Vx.igetJ^ICslgid  x  =  RSAJMD2)V 

(3.31) 

{get  JMIC. algid  x  =  RSA.MD5) 

h  'ix.{getJJIC sigalgid  x  =  DES-EDE)W 

(3.32) 

{get  JJIC sigalgid  x  =  DES-ECB)  V 

{get-M  IC  -sigalgid  x  —  RSA) 

As  the  algorithm  names  in  the  MlCJnfo  field  are  just  names  and  not  the 
actual  hash  and  signature  functions,  we  define  signature  and  hash  selector 
functions  which  take  a  function  name  and  return  its  corresponding  function. 
For  simplicity,  we  do  not  define  the  actual  functions  here,  but  just  define 
them  as  function  names  with  the  proper  type  signatures.  For  example, 
fDES-EDE  is  of  type  asymsignmic  key  — *■  asymsignmic  and  is  the 
signature  function  corresponding  to  DES-EDE. 


M IC sign-select  x  = 

(fget-M IC sigalgid  x  =  DES-EDE)  —*  sDES-EDE 
\{[get-M IC sigalgid  x  —  DES-ECB)  — ►  sDES-ECB\sRSA)) 

MIC -hash-select  x  = 

{{get-MIC. algid  x  =  RSA-MD2)  ->■  fRSA-MD2\fRSA-MD5) 


Other  selector  and  accessor  functions  are  defined  similarly  and  have 
properties  similar  to  those  shown  above.  The  development  of  these  func¬ 
tions  is  listed  in  the  appendices. 
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3.3  Functions  for  MIC-CLEAR  Messages 


Given  the  MIC  accessor  functions  for  MIC-CLEAR  message,  the  hash  and 
signature  selector  functions,  and  the  general  integrity  checking  function 
is  Jntact,  we  now  define  the  integrity  checking  function  MIC_CLEAR  js_- 
Intact  for  MIC-CLEAR  messages.  It  is  the  general  integrity  function 
isJlntact  with  its  parameters  specialized  with  the  hash  and  signature  se¬ 
lection  functions. 


^ICJ^LEAR-is-Intact  msg  = 

{let  micinfo  =  getMICX^LEARMICJnfo  msg 
in 

let  ekey  = 

getJiey.fromJD  (get. Originator AsymID Jnf o  msg) 
in 

is.Intact 

(M IC .sign.select  micinjo) 

(M IC Jiash.select  micinfo) 

(getNI IC -CLEAR-text  msg) 

{getJAICjmic  micinfo)  ekey) 


(3.35) 


Given  the  definition  of  MIC-CLEARJs  Jntact  and  the  general  cor¬ 
rectness  theorem  is  Jntact,  we  can  prove  the  following  correctness  theorem 
for  MIC_CLEARJs  Jntact.  It  states  that  under  similar  assumptions  to 
the  general  is  Jntact  correctness  theorem,  MIC  _CLEARJs  Jntact  is  true 
if-and-only-if  the  transmitted  and  received  messages  are  the  same.  When 
MIC_CLEARJs  Jntact  is  false,  then  what  was  received  differs  from  what 
was  transmitted.  The  theorem  assures  that  given  the  assumptions  the  in¬ 
tent  of  the  integrity  function  is  satisfied  for  MIC-CLEAR  messages.  Similar 
functions  for  other  message  types  and  security  properties  can  be  defined  and 
verified. 


1“  ^mic-clear^msg  sign  txmessage  dkey. 
let  micinfo  = 

get.^IC^CLEARJ\4IC-Info  mic^clear^msg 
in 

let  ekey  =  get-Key-JromJD 
{get-Originator^symlD-info  mic-clearjmsg) 
in 

let  hash  =  MIC -hash-select  micinfo 
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and 

verify  =  M IC jsignselect  micinfo 
and 

rxmessage  =  getMIC-CLEARJ.extmic.clear.msg 
in 

{getJAlC-mic  micinfo  =  sign  {hash  txmessage)  dkey) 
D 

(Vml  m2.{hash  ml  =  hash  m2)  D  (ml  =  m2))  D 
(Vml  m2.verify  ml  (sign  m2  dkey)  ekey  =  ml  =  m2)  D 
{{txmessage  =  rxmessage)  = 
MIC.CLEAR.is.Intactmic.clear.msg) 


3.4  Functions  for  ENCRYPTED  Messages 

For  simplicity,  ENCRYPTED  messages  are  modeled  as  an  8-iuple:  (pree6  x 
proctype  x  contentdomain  x  dekin fo  x  idMsymmetric  x  {certificate)list  x 
MICJnfo  X  {id-asymmetric  x  KeyJnfo)list  x  pemtext  x  posteb). 

The  security,  accessor,  and  selector  functions  for  ENCRYPTED  mes¬ 
sages  are  defined  in  the  same  way  as  they  are  for  MIC-CLEAR  messages. 
They  are  the  general  security  functions  with  the  parameters  specialized 
with  the  selection  functions.  We  assume  all  the  fields  in  PEM  message  are 
successfully  retrieved,  except  the  ciphertext  and  encrypted  MIC  fields. 

With  the  specialized  security  functions  and  the  general  correctness  the¬ 
orems,  we  can  prove  the  specialized  correctness  theorems  for  ENCRYPTED 
messages. 


3.4.1  Privacy 

The  privacy  check  functions  ENCRYPTED  js_PrivateP  and  ENCRYP¬ 
TED  _is_PrivateS  are  defined  using  the  general  privacy  functions  is_- 
PrivateP  and  is  JrivateS  with  their  parameters  specialized  with  hash 
and  signature  selection  functions. 


EBCRYPTED.is.PrivateP 
hi,/  Vmsg  txDEK. 

EHCRYPTED_is_PrivateP  msg  txDEK  = 

is.PrivateP  (DEK_encrypt_select  (getEH_KEY_info  msg))  txDEK 
(getEH.msg.EncryptedKey  msg)  recipientkey 
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ENCRYPTED_is_PrivateS 
\-itf  Vmsg  message . 

EI!fCRYPTED_is_PrivateS  msg  message  = 

(let  rxDEK  =  getEN_msg_DEK  msg 
and 

decryptIV  =  getEN_msg_HsgEncryptIV  msg 
in 

is.PrivateS  (msg.Encrypt.select  (getEN_DEK_inf o  msg))  message 
(getEII_Hessage_info  msg)  decryptIV  rxDEK) 


Given  the  definitions  of  ENCRYPTED _is_PrivateP  and  ENCRYP¬ 
TED  Js_PrivateS  and  the  general  correctness  theorems  is_PrivateJDEK 
and  is_Private_msg,  we  can  prove  the  correctness  theorems  for  ENCRYP¬ 
TED  _is_PrivateJDEK  and  ENCRYPTED  Js_Privatejnsg.  The  fol¬ 
lowing  theorem  states  that  under  similar  assumptions  to  the  general  is_- 
Private JDEK  correctness  theorem,  ENCRYPTED  JsJPrivateJDEK  is 
true  if-and-only-if  the  received  DEK  is  not  disclosed  during  transmission. 


EHCRYPTED.is.Pr ivat  e_DEK 

1-  VEncrypted_msg  encryptP  DEK  dKEYO  dkey. 

let  Key_info  =  getE!I_KEY_info  Encrypted_msg 
in 

let  decryptP  =  DEK_encrypt_select  Key_info 
and 

rxmsg  =  getEl!_msg_EncryptedKey  Encrypted_msg 
and 

dkey  =  recipientkey 
in 

(rxmsg  txrasg)  3 

(txmsg  =  encryptP  DEK  ekey)  3 

(Vmsg.  decryptP  (encryptP  msg  ekey)  dKEYO  =  msg)  3 
(Vmsg  d2 . 

(decryptP  (encryptP  msg  ekey)  d2  =  msg)  3  (d2  -  dKEYO))  3 

((dkey  =  dKEYO)  =  EIfCRYPTED_is_PrivateP  Encrypted.msg  DEK) 


The  theorem  below  states  that  under  similar  assumptions  to  the  general 
is_Privatejnsg  correctness  theorem,  ENCRYPTED _is_Private_msg  is 
true  if-and-only-if  the  received  original  plaintext  is  not  disclosed  during 
transmission. 
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EIICRYPTED_is_Private_msg 

h  VEncrypted.msg  encrypts  message  DEK. 

let  DEK_info  =  getEH_DEK_info  Encrypted_msg 
in 

let  decrypts  =  msg_Encrypt_select  DEK_info 
and 

rxmsg  =  getEII_Hessage_info  Encrypted.msg 
and 

decryptIV  =  getEH.msg.HsgEncryptlV  Encrypted.msg 
and 

KEYO  =  DEK 
and 

key  =  getEH_msg_DEK  Encrypted_msg 
in 

(rxmsg  =  txmsg)  D 

(txmsg  =  encrypts  message  KEYO  decryptIV)  D 
(Vmsg  key . 

(decrypts  (encrypts  msg  key  decryptIV)  key  decryptIV  =  msg)  A 
(Vmsg  keyl . 

(decrypts  msg  keyl  decryptIV  =  decrypts  msg  key  decryptIV)  = 
key  =  keyl))  D 

((key  =  KEYO)  =  EKCRYPTED.is.PrivateS  Encrypted.msg  message) 


3.4.2  Source  Authentication 

The  source  authentication  check  function  ENCRYPTED  JsA.uthentic2 
is  defined  as  the  general  source  authentication  function  is_A.uthentic2  with 
its  parameters  specialized  with  the  hash  and  signature  selection  functions. 


ENCRYPTED_is_Authent ic2 
\-i,l  Vmsg. 

ElICRYPTED_is_Authentic2  msg  = 

(let  micinfo  =  getEN_HIC_inf o  msg 
in 

let  ekey  =  get_Key_f rom.ID  (getEH_DriginatorAsymID_inf o  msg) 
in 

is_Authentic2  (HIC.sign.select  micinfo) 

(HIC_hash_select  micinfo)  (getEN_msg_message  msg) 
(getEN_msg_MIC  msg)  ekey) 


Given  the  definition  of  ENCRYPTED  js_A.uthentic2  and  the  gen¬ 
eral  correctness  theorem  is_4uthentic  jnsg,  we  prove  the  correctness  the¬ 
orem  for  ENCRYPTED  Js_A.uthenticjnsg.  It  states  that  under  similar 
assumptions  to  the  general  is_A.uthenticjnsg  correctness  theorem,  EN¬ 
CRYPTED  js_A.uthenticjTisg  is  true  if-and-only-if  the  received  original 
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plaintext  is  sent  by  the  originator  identified  by  the  public  key  stated  in  the 
received  message. 


EHCRYPTED_is_Authent ic.msg 

H  VEncrypted_msg  sign  txmic  dKEYO  dkey. 

let  micinfo  =  getEN_l!IC_info  Encrypted_msg 
in 

let  verify  =  HIC_sign_select  micinfo 
and 

hash  =  HIC_hash„select  micinfo 
and 

message  =  getElI_msg_message  Encrypted_msg 
and 

rxmic  =  getEH^msg.HIC  Encrypted_msg 
and 

ekey  =  get.Key.f rom_ID  (getEH.DriginatorAsymlD.inf o  Encrypted^msg! 
in 

(rxmic  =  txmic)  D 

(txmic  =  sign  (hash  message)  dkey)  D 
(Vml  m2  dkey2, 

verify  ml  (sign  m2  dkey2)  ekey  =  dkey2  =  dKEYO)  D 
((dkey  =  dKEYO)  =  EHCRYPTED_is_Authentic2  Encrypted_msg) 


3.4.3  Integrity 

The  integrity  check  function  ENCRYPTED  JsJntact  is  defined  as  the 
general  integrity  function  is  Jntact  with  its  parameters  specialized  with 
the  hash  and  signature  selection  functions. 


E5CRYPTED_is_Intact 
\-i,!  Vmsg. 

EirCRYPTED_is_Intact  msg  = 

(let  micinfo  =  getEH_HIC_info  msg 
in 

let  ekey  =  get_Key_f rom_ID  (getEH_OriginatorAsymID_inf o  msg) 
in 

is_Intact  (HIC_sign_select  micinfo)  (MIC_hash_select  micinfo) 
(getEir_msg_message  msg) 

(getEH_msg_HIC  msg)  ekey) 


Given  the  definition  of  ENCRYPTED _is  Jntact  and  the  general  cor¬ 
rectness  theorem  is  Jntact  jtnsg,  the  correctness  theorem  ENCRYPTED 
is Jntactjnsg  can  be  proved.  The  theorem  states  that  under  similar  as¬ 
sumptions  to  the  general  is  Jntactjnsg  correctness  theorem,  ENCRYP¬ 
TED  Js  Jntact  jnsg  is  true  if-and-only-if  the  received  plaintext  after  pro¬ 
cessing  is  the  same  as  the  original  plaintext  before  encryption. 
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EHCRYPTED_is_Intact_msg 

h  VEncrypted_msg  sign  txmessage  txmic  dkey. 

let  miclnfo  =  getEH.HIC.inf o  Encrypted.msg 
in 

let  verify  =  HIC.sign.select  miclnfo 
and 

hash  =  HIC_hash_select  miclnfo 
and 

rxmessage  =  getEH_msg_message  Encrypted.msg 
and 

rxmic  =  getEH_msg_HIC  Encrypted.msg 
and 

ekey  =  get_Key_f rom.lD  (getEH_OriginatorAsymID_info  Encrypted.msg: 
in 

(txmic  =  sign  (hash  txmessage)  dkey)  D 
(rxmic  =  txmic)  D 

(Vml  m2,  (hash  ml  =  hash  m2)  3  (ml  =  m2))  3 

(Vsl  s2.  verify  si  (sign  s2  dkey)  ekey  =  si  =  s2)  3 

((rxmessage  =  txmessage)  =  EHCRYPTED.is.Intact  Encrypted.msg) 


3.4.4  Non-Repudiation 

The  non-repudiation  check  function  ENCRYPTED  Js_iion_deniable  is 
defined  as  the  general  non-deniability  function  is  jnon_deniable  with  spe¬ 
cialized  parameters  for  hash  and  signature  selection  functions. 


ENCRYPTED_is_non_deniable 
hj,/  Vmsg. 

ENCRYPTED_is_non_deniable  msg  = 

(let  miclnfo  =  getEU.WIC.info  msg 
in 

let  ekey  =  get_Key_from_ID  (getElI_OriginatorAsyraID_inf o  msg) 
and 

hash  =  HIC_hash_select  miclnfo 
in 

is_non_deniable  (HIC_sign_select  miclnfo) 

(hash  (getEH.msg.message  msg)) 

(getEH_msg_HIC  msg)  ekey) 


Given  the  definitions  of  ENCRYPTED  js_non_deniable  and  the  gen¬ 
eral  correctness  theorem  is_non_deniable_msg,  we  can  prove  the  correct¬ 
ness  theorem  for  ENCRYPTED  jsjion.deniablejtnsg.  It  states  that 
under  similar  assumptions  to  the  general  is_non_deniable_insg  correct¬ 
ness  theorem,  ENCRYPTED  Js-non_deniable_insg  is  true  if-and-only- 
if  the  originator  of  the  retrieved  plaintext  identified  by  the  public  key  stated 
in  the  received  message  cannot  deny  having  sent  the  message. 
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EHCRYPTED_is_non_deniable_msg 

h  VEncrypted.msg  sign  HESSAGEO  txmic  dKEYO  dkey. 
let  micinfo  =  getEN_HIC_info  Encrypted_msg 
in 

let  verify  =  HIC_sign_select  micinfo 
and 

hash  =  HIC_hash_select  micinfo 
and 

message  =:  getEF_msg_message  Encrypted.msg 
and 

rxmic  =  getEH_msg_HIC  Encrypted.msg 
and 

ekey  =  get_Key_f rom_ID  (getEK_OriginatorAsymID_inf o  Encrypted.msg! 
in 

(rxmic  =  txmic)  3 

(txmic  =  sign  (hash  HESSAGEO)  dkey)  3 
(Vml  m2,  (hash  ml  =  hash  m2)  =  ml  =  m2)  3 
(Vml  m2  dkey2.  verify  ml  (sign  m2  dkey2)  ekey  = 

(ml  =  m2)  A  (dkey2  =  dKEYO))  3 
((dkey  =  dKEYO)  A  (message  =  HESSAGEO)  = 
EirCRYPTED_is_non_deniable  Encrypted.msg) 
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Conclusions 


The  increased  use  of  networked  and  distributed  computing  makes  secnrity 
a  major  concern.  The  capability  to  verify  that  a  system  meets  its  secu¬ 
rity  requirements  will  continue  to  grow  in  importance.  In  particular,  the 
capability  to  assign  security  properties  to  engineering  structures  is  crucial. 

This  work  focuses  on  verifying  the  security  properties  of  Privacy  En¬ 
hanced  Mail  (PEM).  Security  properties  such  as  privacy,  source  authenti¬ 
cation,  integrity  and  non-repudiation  are  defined  independently  of  any  im¬ 
plementation  structure.  PEM  message  structures  and  operations  on  those 
structures  are  shown  to  have  the  desired  security  properties.  Various  PEM 
structures  are  defined  as  types.  Security  interpretations  are  defined  as  op¬ 
erations  on  these  types. 

All  the  definitions  and  proofs  are  done  using  the  Higher  Order  Logic 
(HOL)  theorem-prover.  While  at  times  the  proofs  are  intricate,  the  proofs 
are  well  within  the  capabilities  of  engineers  who  have  been  trained  to  use 
HOL. 

The  work  done  on  PEM  shows  the  feasibility  of  using  formal  logic  and 
computer  assisted  reasoning  tools  to  describe  and  verify  relatively  complex 
systems.  The  advantages  of  using  these  methods  is  the  assnrance  of  cor¬ 
rectness  of  the  specifications  given  to  implementers.  If  the  specifications  are 
correctly  implemented,  then  the  desired  security  properties  will  be  achieved. 
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Appendix  A 

NOTATION  AL 
CONVENTIONS 


This  appendix  is  excerpted  in  part  from  RFC  822,  Standard  for  the  For¬ 
mat  of  A RPA  Internet  Text  Messages,  [3].  It  defines  the  augmented  BNF 
notation  used  for  describing  PEM  message  formats. 

This  specification  uses  an  augmented  Backus-Naur  Form  (BNF)  nota¬ 
tion.  The  differences  from  standard  BNF  involve  naming  rules  and  indicat¬ 
ing  repetition  and  “local”  alternatives. 


A.l  RULE  NAMING 


Angle  brackets  “>”)  are  not  used,  in  general.  The  name  of  a  rule  is 

simply  the  name  itself,  rather  than  “<name>”.  Quotation-marks  enclose 
literal  text  (which  may  be  upper  and/or  lower  case).  Certain  basic  rules  are 
in  uppercase,  such  as  SPACE,  TAB,  CRLF,  DIGIT,  ALPHA,  etc.  Angle 
brackets  are  used  in  rule  definitions,  and  in  the  rest  of  this  document, 
whenever  their  presence  will  facilitate  discerning  the  use  of  rule  names. 

A.2  RULEl  /  RULE2:  ALTERNATIVES 

Elements  separated  by  slash  (“/”)  are  alternatives.  Therefore  “foo  /  bar” 
will  accept  foo  or  bar. 

A.3  (RULEl  RULE2):  LOCAL  ALTERNA¬ 
TIVES 


Elements  enclosed  in  parentheses  are  treated  as  a  single  element.  Thus, 
“(elem  (foo  /  bar)  elem)”  allows  the  token  sequences  “elem  foo  elem”  and 
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“elem  bar  elem” . 


A.4  *RULE:  REPETITION 


The  character  preceding  an  element  indicates  repetition.  The  full  form 
is: 


<l>*<m>element 

indicating  at  least  <1>  and  at  most  <m>  occurrences  of  element.  Default 
values  are  0  and  infinity  so  that  “*(element)”  allows  any  number,  including 
zero;  ‘T*element”  requires  at  least  one;  and  ‘T*2element”  allows  one  or 
two. 


A.5  [RULE]:  OPTIONAL 

Square  brackets  enclose  optional  elements;  “[foo  bar]”  is  equivalent  to 
“*l(foo  bar)”. 


A.6  NRULE:  SPECIFIC  REPETITION 


“<n>(element)”  is  equivalent  to  “<n>*<n>(element)” ;  that  is,  exactly 
<n>  occurrences  of  (element).  Thus  2DIGIT  is  a  2-digit  number,  and 
3 ALPHA  is  a  string  of  three  alphabetic  characters. 


A.7  #RULE:  LISTS 

A  construct  is  defined,  similar  to  as  follows: 

<l>#<m>element 

indicating  at  least  <1>  and  at  most  <m>  elements,  each  separated  by  one 
or  more  commas  (“,”).  This  makes  the  usual  form  of  lists  very  easy;  a  rule 
such  as  ’(element  *(“,”  element))’  can  be  shown  as  ‘T#element”.  Wherever 
this  construct  is  used,  null  elements  are  allowed,  but  do  not  contribute  to 
the  count  of  elements  present.  That  is,  “(element)„(element)”  is  permitted, 
but  counts  as  only  two  elements.  Therefore,  where  at  least  one  element  is 
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required,  at  least  one  non-null  element  must  be  present.  Default  values 
are  0  and  infinity  so  that  “#(element)”  allows  any  number,  including  zero; 
“l#element”  requires  at  least  one;  and  “l#2element”  allows  one  or  two. 


A.8  ;  COMMENTS 

A  semi-colon,  set  off  some  distance  to  the  right  of  rule  text,  starts  a  com¬ 
ment  that  continues  to  the  end  of  line.  This  is  a  simple  way  of  including 
useful  notes  in  parallel  with  the  specifications. 


A.9  ALPHABETICAL  LISTING  OF  SYN¬ 
TAX  RULES 


address 

addr-spec 

ALPHA 


atom 

authentic 


CHAR 

comment 

CR 

CRLF 

ctext 


CTL 

date 

dates 

date-time 


mailbox  :  one  addressee 

j  named  list 

local-part  "Q"  domain  ;  global  address 

<any  ASCII  alphabetic  character> 

;  (101-132,  65.-  90.) 
;  (141-172,  97.-122.) 

l*<any  CHAR  except  specials,  SPACE  and  CTLs> 

"From"  mailbox 

(  "Sender"  mailbox 

"From"  l#mailbox) 


<any  ASCII  character> 

"("  *(ctext  /  quoted-pair  /  comment)  ")" 
<ASCII  CR,  carriage  return>  ;  (  15, 
CR  LF 


Single  author 
Actual  submittor 
Multiple  authors 
or  not  sender 
(  0-177,  0.-127.) 


13.) 


=  <any  CHAR  excluding  "(", 

")",  "\"  &  CR,  &  including 
linear-whit e-space> 

=  <any  ASCII  control 
character  and  DEL> 

=  1+2DIGIT  month  2DIGIT 


=>  may  be  folded 


(  0-  37,  0.-  31.) 

(  177,  127.) 

day  month  year 
e.g.  20  Jun  82 


=  orig-date 
[  resent-date  ] 

=  [  day  ","  ]  date  time 


Original 
Forwarded 
dd  mm  yy 
hh:mm:ss  zzz 
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day 

= 

"Mon"  /  "Tue"  /  "Wed"  /  "Thu" 

/ 

"Fri"  /  "Sat"  /  "Sun" 

delimiters 

= 

specials  /  linear-white-space 

/  comment 

destination 

= 

"To"  " 

"  l#address 

Primary 

/ 

"Resent-To"  " 

"  l#address 

/ 

"cc"  " 

"  l#address 

Secondary 

/ 

"Resent-cc"  " 

"  l#address 

/ 

"bcc"  " 

"  #address 

Blind  carbon 

/ 

"Resent-bcc"  " 

"  #address 

DIGIT 

= 

<any  ASCII  decimal  digit> 

(  60-  71, 

48.-  57. 

domain 

= 

sub-domain  ♦("."  sub-domain) 

domain-lit  eral 

=  "C"  * (dtext  /  quoted-pair) 

11^  II 

domain-ref 

= 

atom 

> 

symbolic  reference 

dtext 

<any  CHAR  excluding  " [" ,  ; 

=>  may  be 

folded 

"]",  "\"  &  CR, 

&  including 

linear-white-space> 

extension-field  = 

<Any  field  which  is  defined  in  a  document 
published  as  a  formal  extension  to  this 
specification;  none  will  have  names  beginning 
with  the  string  "X-"> 

field  =  field-name  [  field-body  ]  CRLF 

fields  =  dates  ;  Creation  time, 

source  ;  author  id  &  one 

1+destination 
♦optional-field 

field-body  =  field-body-contents 

[CRLF  LWSP-char  field-body] 
field-body-contents  = 

<the  ASCII  characters  making  up  the  field-body,  as 
defined  in  the  following  sections,  and  consisting 
of  combinations  of  atom,  quoted-string,  and 
specials  tokens,  or  else  consisting  of  texts> 
field-name  =  l*<any  CHAR,  excluding  CTLs,  SPACE,  and 
group  =  phrase  [#mailbox] 

hour  =  2DIGIT  2DIGIT  2DIGIT] 


address  required 
others  optional 


HTAB  =  <ASCII  HT,  horizontal-tab> 

LF  =  <ASCII  LF,  linefeed> 

linear-white-space  =  l+CECRLF]  LWSP-char) 

local -part  =  word  word) 


00:00:00  -  23:59:59 
(  11.  9.) 

(  12,  10.) 

semantics  =  SPACE 
CRLF  =>  folding 
uninterpreted 
case-preserved 
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LWSP-char  =  SPACE  /  HTAB 

mailbox  =  addr-spec 

/  phrase  route-addr 
message  =  fields  *(  CRLF  *text  ) 


;  semantics  =  SPACE 
;  simple  address 
;  name  &  addr-spec 
;  Everything  after 
;  first  null  line 
;  is  message  body 


month  = 

"Jan" 

/ 

"Feb" 

/ 

“Mar" 

/ 

"Apr" 

/ 

"May" 

/ 

"Jun" 

/ 

"Jul" 

/ 

"Aug" 

/ 

"Sep" 

/ 

"Oct" 

/ 

"Nov" 

/ 

"Dec" 

msg-id 


=  "<"  addr-spec  ">" 


optional-field  = 

/  "Message-ID" 

/  "Resent-Message-ID" 


date-time 


/  "In-Reply-To"  *(phr 

/  "References"  *(phr 

/  "Keywords"  #phra 

/  "Subject"  *text 

/  "Comments"  *text 

/  "Encrypted"  l#2wor 

/  extension-field  I 

/  user-def ined-f ield  ; 

orig-date  =  "Date"  date-time 

originator  =  authentic  ; 

[  "Reply-To"  l#address]  ) 

phrase  =  l*word  I 

qtext  =  <any  CHAR  excepting  <">,  ; 

"\"  ft  CR,  and  including 
linear-whit e-space> 

quoted-pair  =  "\"  CHAR  : 

quoted-string  =  <">  *(qtext/quoted-pair)  <">; 


;  Unique  message  id 

msg-id 

msg-id 

♦(phrase  /  msg-id) 
♦(phrase  /  msg-id) 
#phrase 
♦text 
♦text 
l#2word 

;  To  be  defined 
;  May  be  pre-empted 


received  =  "Received"  ;  one  p 

["from"  domain]  ;  sendi: 

["by"  domain]  ;  recei 

["via"  atom]  ;  physi 

♦("with"  atom)  ;  link/ 

["id"  msg-id]  ;  recei 

["for"  addr-spec]  ;  initi 

";"  date-time  ;  time 

resent  =  resent-authentic 

[  "Resent-Reply-To"  l#address]  ) 

resent-authentic  = 

=  "Resent-From"  mailbox 


authenticated  addr 

Sequence  of  words 
=>  may  be  folded 


may  quote  any  char 
Regular  qtext  or 
quoted  chars, 
one  per  relay 
sending  host 
receiving  host 
physical  path 
link/mail  protocol 
receiver  msg  id 
initial  form 
time  received 
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/  (  "Resent-Sender"  mailbox 

"Resent-From"  l#mailbox  ) 


resent-date 

= 

"Resent -Date"  ":"  date-time 

return 

= 

"Return-path"  route-addr 

return  address 

route 

= 

1#("Q"  domain) 

path-relative 

route-addr 

= 

"<"  [route]  addr-spec  ">" 

source 

= 

[  trace  ] 

net  traversals 

originator 

original  mail 

[  resent  ] 

forwarded 

SPACE 

= 

<ASCII  SP,  space> 

(  40,  32.) 

specials 

= 

/  **  )  **  /  **<**  /  ^ 

Must  be  in  quoted- 

/ 

/  '* j **  /  *' * **  /  !  <"> 

string,  to  use 

/ 

"  • "  /  "  C"  /  "D  *' 

within  a  word. 

sub-domain 

= 

domain-ref  /  domain-literal 

text 

= 

<any  CHAR,  including  bare 

=>  atoms,  specials, 

CR  &  bare  LF,  but  NOT 

comments  and 

including  CRLF> 

quoted-strings  are 

NOT  recognized. 

time 

= 

hour  zone 

ANSI  and  Military 

trace 

= 

return 

path  to  sender 

l*received 

receipt  tags 

user-def ined-f ield  = 

<Any  field  which  has  not  been  defined 
in  this  specification  or  published  as  an 
extension  to  this  specification;  names  for 
such  fields  must  be  unique  and  may  be 
pre-empted  by  published  extensions> 
word  =  atom  /  quoted-string 


zone 

= 

"UT"  / 

"GMT" 

Universal  Time 

North  American  : 

UT 

/ 

"EST"  / 

"EDT" 

Eastern:  -  6/  - 

4 

/ 

"CST"  / 

"CDT" 

Central:  -  6/  - 

5 

/ 

"MST"  / 

"MDT" 

Mountain:  -  7/  - 

6 

/ 

"PST"  / 

"PDT" 

Pacific:  -  8/  - 

7 

/ 

lALPHA 

Military:  Z  =  UT; 

<"> 

<ASCII  quote  mark> 

(  42,  34 

.) 
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B.l  pem_syntax.theory 

Tlieory:  pem.synt  ii 

Puenta: 

sPiing 

HOL 

TypB  tonstuits: 
pxeeb  0 
posteb  0 
peiiEtyp93  0 
proctype  0 
contBntdsscrip  0 
contenpdomiin  0 
ilgid  0 
IV  0 

dekiiilo  0 
certil icj.P9  0 
id.a.syiiiiii9txic  0 
Kgy.imfo  0 
oiigid.a.3ymiii  0 
IlC.inlo  0 

T9im  constints: 

is.pTBBb  <Pi9lix)  rstiing  -)  bool 
REP.proob  <Pr9fix)  :proob  -»  string 
BE5IE  <Pr9fix)  : string  ->  pro9b 
is.postob  (Proiix)  zstring  -»  bool 
REP.postob  (Prolix)  ipostob  ->  string 
EIB  (Profix)  : string  -)  postob 

REP.pomtypos  (Profix)  ipoirtypos  -i  (one  •  ons  ♦  ono  t  ono  t  ono)  Itroo 

JLBS_pemtyp03  (Profix)  :(ono  ♦  one  ♦  one  ♦  one  ♦  one)  Itree  ->  pentypos 

EHCRVPTED  (Prefix)  : pentypos 

IIC.DHLY  (Prefix)  ipentypos 

lie. CLEAR  (Prefix)  : pentypos 

CRL  (Prefix)  zpentypes 

CRL.RETRIEVAL.REQUEST  (Prefix)  ipontypes 
is. proctype  (Prefix)  :nun  •  pentypos  ->  bool 
REP.proctype  (Prefix)  iproctype  ->  nun  •  pentypes 
Proc.Iype  (Prefix)  :nun  t  pentypes  ->  proctype 
REP.contentdescrip  (Prefix)  : contentdoscrip  -»  one  Itree 
ABS.contentdescrip  (Prefix)  tone  Itree  ->  contentdoscrip 
RFC852  (Prefix)  : contentdoscrip 

REP.contentdoniin  (Prefix)  icontentdoniin  ->  contentdoscrip  Itree 
ABS.contentdonj.in  (Prefix)  : contentdoscrip  Itree  -»  contentdonJ.in 
Content .Boniin  (Prefix)  icontentdescrip  -»  contontdoniin 
REP.ilgid  (Prefix)  :t,lgid  ->  (ono  ♦  one  ♦  one  ♦  one  *  one  ♦  one)  Itree 

ABS.ilgid  (Prefix)  :(on0  t  one  ♦  one  t  one  •  one  *  one)  Itree  ->  xlgid 

BES.CBC  (Prefix)  :i.lgid 
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BES.EDE  (Prefix)  :».lgid 

lES.ECB  (Prefix)  :a.lgid 

ESA  (Prefix)  rilgid 
ESA.H2  (Prefix)  :ilgid 

RSA.ID5  (Prefix)  : Algid 

REP.IY  (Prefix)  :IV  -I  one  Itree 
AIS.IV  (Prefix)  :one  Itree  ->  IV 
IV  (Prefix)  :IV 

is.dekinfo  (Prefix)  :Algid  #  IV  ->  bool 

BEP.dekinfo  (Prefix)  rdekinfo  ->  ilgid  t  IV 

BEE. Info  (Prefix)  !ilgid  #  IV  ->  dekinfo 

BEP.certificite  (Prefix)  :certificj.te  ->  string  Itree 

ABS.certif icAte  (Prefix)  :3tring  Itree  ->  certificate 

CertificAte  (Prefix)  :string  ->  certificAte 

BEP.^.isymmetric  (Prefix)  : id. Asymaetr ic  ->  string  Itree 

ABS.id.Asyimetric  (Prefix)  istring  Itree  -)  id.s.syiiimetric 

IB .Asymmetric  (Prefix)  istring  ->  id.isymaetric 

is.Eey.info  (Prefix)  ; ilgid  t  string  ->  bool 

BEP.Eey.info  (Prefix)  :Eey.info  ->  ilgid  *  string 

Eey.Info  (Prefix)  : ilgid  t  string  ->  Eey.info 

BEP .or igid. Asymm  (Prefix)  :origid.isyma  ->  (one  *  one)  Itree 

ABS.origid. isymn  (Prefix)  :(one  ♦  one)  Itree  ■)  origid.Asymm 

certificite  (Prefix)  :origid.isymn 

id.isymmetric  (Prefix)  lorigid.isymm 

is.EIC.info  (Prefix)  : ilgid  t  ilgid  •  string  ->  bool 

REP.IIC.info  (Prefix)  :IIC.info  ->  Algid  t  ilgid  t  string 

lie. Info  (Prefix)  :ilgid  t  ilgid  #  string  ->  IlC.info 

Axioms : 


Definitions: 

is.preeb  I-  Is.  is.preeb  s  t  s  s  • 'PBIVACY-EBHABCEB  HESSABE” 
preeb.TY.BEF  I-  Trop.  TYPE.BEFUITIOH  is.preeb  rep 
pieeb.ISD.DEF 

I-  C!a..  BEGUT  (BEP.pxeeb  O  ?  O  i\ 

<!r.  is.preeb  r  c  REP.preeb  (BEGH  r)  t  r) 
is.posteb  I-  Is.  is.postob  s  t  s  t  •TBIVACY-ESHAHCEI  lESSASE" 
posteb.TY.BEF  I-  'rep.  TYPE.BEFIBITIBE  is.posteb  rep 
posteb.ISB.BEF 

I-  (!l.  EIB  (REP.posteb  i)  t  i)  t\ 

(!r.  is.posteb  r  t  BEP.postob  (EIB  r)  s  r) 
pemtypes.TY.BEF 
I-  trep. 

TYPE.BEFIIITIDI 
(TBP 
(\y  tl. 


(y  5  HL  one)  t\  (LEIBTK  tl  t  0)  \t 

(y  ;  Ha  (IIL  one))  /\  (LEISTH  tl  t  0)  \/ 

(y  :  HB  (HB  (HL  one)))  t\  (LEIBTH  tl  t  0)  \l 

(y  t  HB  (HR  (HR  (hl  one))))  t\  (LEIBTH  tl  t  0) 

(y  5  HR  (HR  (HR  (HR  one))))  t\  (LEISTR  tl  :  0))) 

rep 

pemtypes.lSQ.BEF 


ABS.pemypes  (REP.pemtypes  i)  t  i)  i\ 


TRP 


(\Y  tl. 


(y  t  HL  one)  t\  (LEFSTK  tl  s  0)  W 

(y  :  HR  (HL  one))  f\  (LEISTH  tl  t  0)  \l 

(y  t  HR  (HE  (HL  one)))  fS  (LEISTH  tl  :  0)  \l 

(y  :  HE  (HE  (HR  (HL  one))))  l\  (LEISTH  tl  t  0)  \l 

(y  t  HE  (HR  (HR  (HE  one))))  f\  (LEISTH  tl  s  0)) 

r  : 
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KEP.pomtypas  (ABS.pemtypas  r)  - 
i) 

EHCKYPTED.BEF  I-  MCaUPTEI  -  ABS.pejrtypes  <5ode  <IHL  one)  □) 

HIC.DELY.IEF  I-  IIC.DFLY  s  JlBS.pemliypes  (Sode  (HE  (IHL  one))  □) 
IIC.CLEAE.DEF  I-  IIC. CLEAR  -  ABS.peurtypes  (Hode  (HIE  (HE  (HL  one)))  □) 
CBL.BEF  I-  CEL  :  ABS.penrtypes  (Hode  (HE  (HE  (IHE  (HL  one))))  □) 
CEL.BETEIEVAL.REqUEST.DEF 
I-  CRL.EETRHYAL.REqnEST  s 

ABS.pemtypos  (Hode  (HE  (IHE  (HE  (HE  one))))  [3) 
is.proctype  I-  ipioctype.  is.pioctype  proctype  t  FST  pioctype  :  4 
pioctype.TV.DEF  I-  trop.  TfPE.DEFHniDH  is.pioctype  lep 
proctype. IS  a. lEF 

I-  (!j..  Pioc.Type  (EEP .proctype  >.)  t  i)  /\ 

(!r.  is.pioctype  r  t  REP.pioctype  (Proc.Type  i)  -  r) 
cent entdes crip. TY.DEF 

1-  trep.  TYPE.DEFHITIDH  (TEP  (iv  tl.  (y  t  one)  /\  (LEHSTH  tl  5  0)))  rep 
contentdescrip.ISD.IEF 

I-  (!a..  ABS.contentdescrip  (EEP.contentdescrip  a)  t  a)  I\ 

(!r. 

TEP  (Sv  tl.  (y  s  one)  i\  (LEHGTH  tl  s  0))  r  s 
EEP.contentdescrip  (ABS.contentdescrip  r)  * 
r) 

RFC822.DEF  I-  EFC822  s  ABS.contentdescrip  (Hode  one  □) 
cent  ontdomAin.TY.BEF 

I-  Jiep.  TYPE.BEFIHITIDH  (TEP  (\y  tl.  (tc.  Y  s  c)  /\  (LEHSTH  tl  t  0)))  rep 
cont entdomAin. IS O.BEF 

I-  (!a.  ABS.contentdomAin  (REP. cont entdomAin  a)  t  a)  I\ 

(!r. 

TEP  (\Y  tl.  (Jc.  Y  s  c)  /\  (LEHSTH  tl  s  0))  r  s 
REP.contentdomAin  (ABS.contentdomAin  x)  t 
r) 

Content.BomAin.IEF  I-  ic.  Cont ent .BomAin  c  s  ABS.contentdomAin  (Hode  c  □) 

Algid.TY.BEF 

I-  !xep. 

TYPE.BEFIHITIDH 
(TEP 
(\y  tl. 

(Y  :  HL  one)  /\  (LEHSTH  tl  t  0)  \l 

(Y  5  HR  (HL  one))  l\  (LEHSTH  tl  t  0)  \l 

(y  s  HR  (HR  (HL  one)))  i\  (LEHSTH  tl  t  0)  \t 

(y  t  HR  (HR  (HR  (HL  one))))  t\  (LEHSTH  tl  t  0)  \/ 

(y  s  hr  (hr  (he  (HR  (HL  one)))))  /i  (LEHSTH  tl  :  0)  \/ 

(y  :  HE  (HR  (HE  (HE  (HR  one)))))  l\  (LEHSTH  tl  t  0))) 

rep 

Algid. ISD.BEF 

I-  (!a.  ABS. Algid  (REP. Algid  a)  t  a)  I\ 

(!r. 

TEP 

(\Y  tl. 

(y  5  HL  one)  /\  (LEHSTH  tl  t  0)  M 
(y  ;  HE  (HL  one))  i\  (LEHSTH  tl  s  0)  \l 
(y  :  HE  (HE  (HL  one)))  /i  (LEHSTH  tl  5  0)  M 
(y  :  HR  (HE  (HR  (HL  one))))  l\  (LEHSTH  tl  5  0)  \l 
(y  s  he  (hr  (hr  (hr  (HL  one)))))  t\  (LEHSTH  tl  ~  0)  \l 

(y  :  HE  (HE  (HE  (HR  (HE  one)))))  l\  (LEHSTH  tl  :  0)) 

i  5 

EEP. Algid  (ABS. Algid  r)  t 
r) 

BES.CBC.BEF  |-  BES.CBC  t  ABS. Algid  (Hode  (HL  one)  □) 

BES.EBE.BEF  |-  BES.EBE  5  ABS. Algid  (Hode  (HE  (IHL  one))  □) 

BES.ECB.BEF  I-  BES.ECB  :  ABS. Algid  (Hode  (HE  (HE  (HL  one)))  □) 

ESA.BEF  I-  ESA  s  ABS. Algid  (Hode  (HE  (HR  (HE  (HL  one))))  □) 
ESA.IB2.BEr 

I-  RSA.HB2  :  ABS. Algid  (Hode  (HE  (HR  (HE  (HE  (HL  one)))))  □) 
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aSA.IB5.DEF 

I-  aSA.IB5  :  ABS.ilgid  (Hods  (IHE  (m  (HR  <IHa  (ISa  one)))))  □) 
lY.TT.DEF 

I-  ?iep.  TYPE.DEFIEniDE  <TRP  <\y  tl.  (v  c  one)  /\  (LEBSTH  tl  t  0)))  lep 
IV.I3D.DEF 

I-  Cl.  ABS.IV  (REP. IV  O  t  i)  t\ 

Ci. 

TRP  (\y  tl.  <Y  :  one)  IS  (LEISTH  tl  s  0))  i  s  REP. IV  (ABS.IV  r)  ;  i) 
IV.BEF  I-  IV  t  ABS.IV  (lode  one  []) 
is.dekinfo  I-  !i.  is.dekinlo  i  t  FST  i  t  DES.CBC 
dekinfo.TY.DEF  |-  !rep.  TYPE.DEFUrniDE  is.dekinfo  lep 
dekinfo.Isn.DEF 

I-  Cl.  DEE. Info  (REP.dekinfo  i)  t  i)  l\ 

Cr.  is.dekinfo  i  s  REP.dekinfo  (DEE. Info  i)  t  i) 
certif icite.TY.DEF 

I-  txep.  TYPE.DEFIEITIDE  (TRP  (\y  tl.  (Ss.  Y  t  s)  A  (LEEGTH  tl  t  0)))  rep 
cext  ificite.ISD.DEF 

I-  Cl.  ABS.cextif icite  (REP.cextif icite  i)  t  i)  A 
(!x. 

TRP  (\y  tl.  Cs.  Y  :  s)  /\  (LEEGTH  tl  s  0))  i  s 
REP.cextifieite  (ABS.cextif icite  x)  t 
x) 

Cextif  icite. DEF  I-  !s.  Cextificite  s  s  ABS.cextif  icite  (Eode  s  □) 
id.isymmetxic.TY.BEF 

I-  Jiep.  TYPE.DEFIEniDE  (TRP  (iY  tl.  (Js.  Y  t  s)  /\  (LEEGTH  tl  :  0)))  xep 
id.isynmetxic.ISG.DEF 

I-  Cl.  ABS.id.isynmetxic  (REP.id.isymmotric  i)  s  i)  IS 
Cx. 

TRP  (\y  tl.  Cs.  Y  s  s)  A  (LEEGTH  tl  t  0))  x  t 
REP.id.isymmetxic  (ABS.id.isymmetxic  x)  t 
x) 

ID.Asymmetxic.DEF  I-  is.  ID  .Asymmetric  s  s  ABS.id.isymmetxic  (Bode  s  []) 
is.Eey.info  I-  !x.  is.Eoy.info  x  t  FST  x  t  ESA 
Eey.info.TY.DEF  I-  Jxep.  TYPE.DEFIEITIDE  is.Eey.info  xep 
Eey. info. ISD. DEF 

I-  Cl.  Eey.Info  (REP. Eey. info  i)  t  i)  IS 

Cx.  is.Eey.info  x  s  REP.Eey.info  (Eey.Info  x)  ~  x) 
oxigid.isymm.TY.DEF 
I-  txep. 

TYPE.DEFIEITIDE 
(TRP 
(\y  tl. 

(y  t  lEL  one)  A  (LEEGTH  tl  s  0)  SI 
(y  c  IER  one)  IS  (LEEGTH  tl  s  0))) 

xep 

oxigid.isymm.ISD.DEF 

I-  Cl.  ABS.oxigid.isymm  (REP.oxigid.isymm  i)  t  i)  IS 
Cx. 

TRP 

(\y  tl. 

(y  :  lEL  one)  /\  (LEEGTH  tl  5  0)  SI 
(y  :  IER  one)  /\  (LEEGTH  tl  t  0)) 

X  5 

REP.oxigid.isymm  (ABS.oxigid.isymm  r)  t 
x) 

cextif  icite. DEF  I-  cextificite  t  ABS.oxigid.isymm  (Bode  (lEL  one)  □) 
id.isymmetxic.DEF  I-  id.isymmetxic  s  ABS.oxigid.isymm  (Eode  (IER  one)  □) 
is. lie. info 
I-  !x. 

is.HIC.info  x  t 

((FST  X  t  RSA.KD2)  SI  (FST  x  t  RSA.ID5))  /\ 

((FST  (SED  x)  t  DES.EDE)  SI 

(FST  (SEB  x)  :  DES.ECB) 

(FST  (SED  x)  ;  aSA)) 
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IIC.info.TY.BEF  I-  trap.  TYPE.DEFimiDIT  is.IIC.inio  lep 
HIC.info.ISn.DEF 

I-  Cl.  IlC.Inio  (REP.IIC.info  i)  i  i)  t\ 

Ci.  is.IIC.inlo  X  :  REP .IIC. info  <IIC.Inlo  i)  :  i) 

Thaoxems: 

REP.pxeab.IEVERTS  I-  !i.  BE(rII  (BEP.piaab  i)  t  i 
REP.pxaeb.DEE.QHE  I-  !i  i’.  (REP.pxaab  i  t  REP.pxeeb  i>)  s  i  =  i’ 
REP.pxeab.DHTQ  I-  !x.  is.pxaeb  x  :  <!i.  x  t  REP.pxeeb  i) 
iBS.pxeeb.IlTVERTS  I-  ix.  ia.pxeeb  x  i  REP.pxeeb  (BESU  x)  ;  x 
JLRS.pxeeb.DHE.aRE 

|.  .  is.pxeeb  x  is.pxeeb  x*  (CBEGIR  x  t  REGIE  xO  s  x  t  xO 

ABS.pxeeb.OrTO  I-  !i.  tx.  <i  c  REGIE  x)  /\  is.pxeeb  x 
REP.posteb.IEVER'rS  I-  !i.  EER  (REP.posteb  O  s  i 

REP.posteb.DEE.GEE  I-  !i  i’.  (REP.posteb  i  •  REP.posteb  i>)  s  i  *  i’ 
REP.posteb.GETG  I-  !x.  is.posteb  x  s  <ti.  x  t  REP.posteb  i) 

ABS. post eb. REVERTS  I-  Ix.  is.posteb  x  s  REP.posteb  (EER  x)  :  x 
ARS.posteb.DEE.DEE 

I-  !x  X’.  is.posteb  x  ssJ  is.posteb  x’  <<EEB  x  t  EER  x’)  t  x  s  lO 

ABS. post eb.DETG  I-  !i.  !x.  <l  t  EER  i)  l\  is.posteb  x 

pantypes 

I-  !e0  ei  eS  eS  e4. 
t!ln. 

<fn  EECRVPTER  :  eO)  l\ 

«n  IIC.DELV  s  el)  /\ 

<fn  lie. CLEAR  :  eS)  A 
<fn  CRL  :  eS)  l\ 

<fn  CRL.RETRIEVAL.REREEST  5  e4) 
pemtypes.IERRCT 

I-  :p. 

P  EECRVPTER  l\ 

P  IIC.DELV  /\ 

P  IIC. CLEAR  l\ 

P  CRL  /\ 

P  CRL.RETRIEVAL.REQREST  tt» 

<!p.  P  p) 

pemtypes .D ISTIECT 
1-  '(EECRVPTER  :  IIC.DELV)  /\ 

'(EECRVPTER  s  IIC. CLEAR)  /\ 

'(EECRVPTER  :  CRL)  t\ 

'(EECRVPTER  5  CRL.RETRIEVAL.REQGEST)  /\ 

'(IIC.DELV  t  IIC. CLEAR)  A 

'(IIC.DELV  :  CRL)  A 

'(IIC.DELV  s  CRL.RETRIEVAL.REQGEST)  i\ 

'die. CLEAR  t  CRL)  /\ 

'die. CLEAR  :  CRL.RETRIEVAL.REQGEST)  t\ 

'(CRL  5  CRL.RETRIEVAL.REQGEST) 
pent ypes. CASES 
I-  :p. 

(p  s  EECRVPTER)  M 
(p  ;  IIC.DELV)  M 
(p  :  IIC. CLEAR)  M 
(p  s  CRL)  M 

(p  s  CRL.RETRIEVAL.REQGEST) 

REP.pxoctype.IEVERTS  I-  Ii.  Pxoc.Type  (REP.pxoctype  i)  :  i 
REP.pxoctype.DEE.DEE  I-  !i  I’.  (REP.pxoctype  i  t  REP.pxoctype  i>)  =  i  =  l’ 
REP.pxoctype.DETD  I-  !x.  is.pxoctype  x  t  (!i.  i  '  REP.pxoctype  i) 
ABS.pxoctype.IEVERTS  I-  !x.  is.pxoctype  x  t  REP.pxoctype  (Pxoc.Type  x)  ;  i 
ABS.pxoctype.DEE.DEE 
I-  !x  X’ . 

is.pxoctype  x 
is.pxoctype  x’ 

((Pxoc.Type  x  :  Pxoc.Type  i’)  c  i  ;  x’) 

ABS.pxoctype.DETD  1-  !i.  ?i.  (i  :  Pxoc.Type  i)  l\  is.pxoctype  x 
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contentdesciip  I-  !e.  t!in.  in  BrC82J  t  a 
contentdasciip.IiniTICT  I-  P  BFC822  tt>  Cc.  P  c) 
contentdesciip. CASES  I-  Ic.  c  c  BFC825 

contentdomiin  I-  :i.  t!in.  !c.  in  (Content. Bomiin  c)  t  i  c 
contBntdoma.in.IHDnCT  |-  !P.  Cc.  P  (Content .Domiin  c))  Cc.  P  c) 
contentdomiin. CASES  I-  !c.  !c’.  c  -  Content.Bomiin  c> 
ilgid 

I-  !e0  el  eS  e3  e4  eS. 
t!fn. 


(in  BES.CBC 

eO) 

(in  DES.EBE 

el) 

i\ 

(in  BES.ECB 

eS) 

l\ 

(in  BSA  ;  e3) 

t\ 

(in  BSA.IBS 

: 

e4) 

n 

(in  BSA.IBS 

i 

eS) 

ilgid.miBCT 

I-  :p. 

P  DES.CBC  t\ 
P  DES.EBE  l\ 
P  BES.ECB  n 
P  BSA  f\ 

P  BSA.IB2  /\ 


P  BSA.IBS 

Cl.  P  1) 

ilgid.DISTIFCT 

1-  '(DES.CBC  : 

DES.EBE) 

l\ 

'(DES.CBC  : 

BES.ECB) 

l\ 

'(DES.CBC  : 

BSA)  /\ 

'(DES.CBC  s 

BSA.IBS) 

n 

'(DES.CBC  s 

BSA.IBS) 

t\ 

'(DES.EBE  t 

BES.ECB) 

t\ 

'(DES.EBE  5 

BSA)  /\ 

'(DES.EBE  s 

BSA.IDS) 

t\ 

'(DES.EBE  : 

BSA.IBS) 

t\ 

'(BES.ECB  t 

BSA)  i\ 

'(BES.ECB  s 

BSA.IDS) 

t\ 

'(BES.ECB  t 

BSA.IDS) 

t\ 

'(BSA  :  BSA.IDS)  t\ 

'(BSA  ;  BSA.raS)  /\ 

'(BSA.IB2  :  BSA.IBS) 
llgid.CASES 

I-  !i. 

(i  :  BES.CBC)  \/ 

(i  5  DES.EBE)  \/ 

(i  ;  BES.ECB)  \/ 

(l  5  BSA)  \l 
(l  5  BSA.IBS)  \/ 

(l  t  BSA.IBS) 

IV  I-  !e.  !:in.  in  lY  :  e 

BEP.deBinio.HVEBTS  I-  !i.  BEB.Inio  (BEP.dekinio  i)  t  i 
BEP.dekinio.OIE.DIE  I-  !i  i’.  (BEP.dekinio  i  -  BEP.dekinio  i’)  :  i  t  i’ 
BEP.dekinio.DHTQ  I-  !x.  is.deBinio  x  t  Cl.  i  t  BEP.deBinio  i) 
ABS.deBinio.UVEBTS  I-  !x.  Is.deBlnio  i  t  BEP.dekinio  (BEE.Inio  x)  :  x 
ABS.dekinio.DIE.DIE 
I-  !i  X’ . 

is.dekinio  x  tt) 
is.dekinio  i’  st) 

((BEB.Inio  x  :  BEK.Inio  x>>  =  r  s  x>) 

ABS.dekinio.DITD  I-  !i.  tx.  (i  :  BEB.Inio  x)  i\  is.dekinio  x 
cextiiicite  I-  !i.  T!in.  !s.  in  (Cextiiicite  s)  :  i  s 
id.issymmetiic  I-  !i.  !!in.  is.  in  dB.Asymmetxic  s)  t  i  s 
BEP.Bey.inio.IIVEBTS  I-  !i.  ley.Inio  (BEP.Bey.inio  i)  5  i 
BEP.Bey.inio.BIE.DHE  I-  ii  i>.  (BEP.Bey.inio  i  :  BEP.Bey.inio  i>)  =  i  =  i’ 
BEP.Bey.inio.DHTD  I-  !x.  is.Bey.inio  x  -  Cl.  x  s  BEP.Bey.inio  i) 
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ABS.Sey.info.IirVEIlTS  I-  !i.  is.Key.inlo  i  s  REP.7ey.inio  (Eey.Inio  i) 

ABS.Eey.iiifo.IlIE.DFE 

I-  !r  r’ . 

is.Eey.inio  r  ss) 
is.Eey.info  i’ 

((Key.Info  i  :  Eey.Info  r’>  t  r  J  r’) 

ABS.Eey.inlo.QHPO  I-  ii.  tr.  <i  5  Key.Info  r)  IS  is.Sey.inio  i 
origid,a.syiam 

I-  !eO  el.  !!in.  <fn  ceitiiicite  t  eO)  /\  <fn  id.SLsyiimetric  :  eO 
REP.IIC.inio.IEVEETS  I-  ii.  IlC.Inio  (REP.IIC.iiilo  ».>:». 
REP.IIC.inio.DEE.DIE  I-  !i  J.’.  (REP.IIC.iiilo  i  s  REP.HIC.info  ».>>  :  i. 
REP.IIC.iiifo.ainil  I-  !x.  is.HIC.inio  r  s  (!»..  i  -  REP.HIC.info 
ABS.IIC.inio.IHVERTS  I-  ir.  is.IIC.info  i  t  REP.HIC.info  CHIC. Info  i) 
ABS.HIC.info.QIE.DIE 
I-  !x  x>. 

ia.HIC.info  x  ss> 
ia.HIC.info  x’  ss) 

(CHIC. Info  X  !  HIC.Info  i>)  s  X  *  lO 
ABS.IIC.info.DHTO  |-  !«..  tx.  (a.  «  HIC.Info  i)  IS  ia.HIC.info  i 


B.2  pem_syntax.sml 


Cxaaaaaaaaaa::: 
C*  File: 

pem, syntax. sml 

*) 

(>*  Description: 

FEI  mess).ge  synt«.x 

Hc) 

Da.te: 

July  2,  1996 

>#) 

Author: 

Shiu-Eai  Chin,  xith  amall  modification 

Hc) 

<* 

by  Dui  Zhou 

load.IiRxixyClib  :  holBB.lib,  xheoiy  :  "-"3; 
open  Payntax  Compat; 

C*  Definition  of  PEH  meaaagea.  »*) 

nex.theoxy  "pem.ayntax"; 
nex.paxent  "atxing"; 

uae  "/and/humbolt/aif/holSO.I/libxaxyfatxing/aic/aacii.conY. ami"; 
uae  "/amd/hnmbolt/ax/holBO.T/libxaxy/atxing/axc/atiing.c.onY.aml"; 
nae  '7 imd/humbolt/ax/holBO. T/libxaxy/atxing/axc/atiing.xulea. ami"; 
open  Stxing.xnlea; 


add.definitiona.to.aml  "atxing"; 
add.theoxema.to.aml  "atxing"; 

add.tReoiy.to.aml  "paix"; 
add.definitiona.to.aml  'paix"; 
add.theoxy.to.aml  "liat"; 
add.definitiona.to.aml  "liat"; 

C*;  ;  c  5  t  t  t  t 

C*  Define  pxe-encapaulation  bonndaxy  *) 

Yal  ia.pxeeb  t  nex.def inition  C"i3.pxeeb",(--‘i3.pxeeb(a:atxing) 
:  Ca  :  "PRIViCY-EIHAICED  EESSABE")' ; 

Yal  exiata.pxeeb  ‘  TAC.PRDDFC 

CP, --‘ta. ia.pxeeb  a'--), 

EXISTS. TAC  (--‘'TRIVACY-EHHAHCED  HESSA6E"‘— )  THEI 
RElfRITE.TAC  [ia.pxeeb]); 
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Ya.1  preeb.T'Y.DEF  t  neir.type.del iiiition(**pi&eb", 
<--‘is,pi00b*--), exists.pioeb); 

Yil  pr00b,ISD.DEF  s  d0i in0.n0Tr,typ0.bij0ctions 

■•proob.ISn.DEF"  "BEGn"  "KEP.piGOb"  p100b.TY.DEF; 


Yil  REP.proob.IHYERTS  ; 

3!LY0.thm<"REP.pr00b.IEVERTS",CCffJUirCTl  preeb.ISD.DEF) ; 
Ya.1  REP.pr00b.DFE.DEE  s 

sj.Y0.thm<'  'REP.pr00b.DEE.DEE",proY0.x©p.Yn.on0,on0 
px00b.ISD.DEF) ; 


Yil  REP.px00b.DETD  t 

SiYG.thmC'REP.pxoob.DETD",  pxoYo.xop.in.onto  pxGGb.ISD.DEF) ; 

Yil  ABS.px00b.IEVERTS  « 

slYG.thmC'JLBS.pxeeb.IEVERTS",  CDEJEECT2  px00b.ISD.DEF); 

Ytl  A6S.px00b.aEE.DEE  t 

3 5.Y0.thm<"AB S.px00b. DEE. DEE“,proY0.j.bs.f  11.0110. on©  pr00b.ISD.DEF); 
Yll  A6S.px0@b.DETa  « 

5i.Y0.thm<"ADS.pxo0b.OETD'‘,  proYo.ibs.tn.onto  pr00b.ISD.DEF); 


<><‘5  i  s  «  t  j  j  5  t*) 

<,*  D0fin0  post-0Rta.psula.tion  boundary  »*) 

Ya.1  is.post0b  s  nox.d©! initionC 

' 'is.post0b", ‘ is.post 0b<s : string)  t 
<s  t  'TRIYACY-EEHAECED  lESSAGE") ‘ --)) ; 

Ya.1  0xists.postob  t  TAC.PRDDF< 

(□,--‘ts.is.post9b  s‘--), 

EXISTS. TAC  <--‘'TRIYACY-EEHAECO  lESSAGE"* --)  THEE 
REHRITE.TAC  [is.post 9b] ) ; 

Ya.1  post0b.TY.DEF  5  n0T.typ9.d0Y inition<"po5t0b", 

‘is.postob* --) ,0xists.po3tob); 

Ya.1  po3t0b.ISD-DEF  5  d9f ino.noT.typo.bijoctions 

"post0b.ISQ.DEr '  "EED"  "REP.postob"  postob.TY.DEF; 


Ya.1  REP.post0b.IEYERTS  t 

sa.Y0.thiii("REP.post0b.IEYERTS",CCEJEECTl  post0b.ISD.DEF) ; 

Ya.1  REP.post0b.DEE.DEE  5 

s  a.Y0.thm<'  'REP  .  pos  t  ©b.  DEE.  D  EE",  pxoY©.x©p.Y  n.on0,on0 
post0b.ISD.DEF); 

Ya.1  REP  .post  ©b.DETD  t 

sa.Y0.thm<'  'REP.  post  ©b.DETD",  pxovo.xop.Yn.onto  post0b.ISD.DEF); 
Ya.1  ABS.po3t0b.IEYERTS  : 

3iY0.thmC"ABS.post0b.IEYERTS",  CDEJDECT2  po3t0b.ISD.DEF); 

Ya.1  ABS.post0b.DEE. DEE  : 

sa.Y0.tlim("ABS.po3t0b.QEE.DEE'  ',pxoY0.a.bs.ln,on0.on0 
post0b.ISD.DEF); 


Ya.1  ADS, post  ©b.DETD  t 

sa.Y0.thiii('  'ABS. post  ©b.DETD",  pxoY0.a.b3.fn,onto  post9b.ISD.DEF); 
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<»j  :  ;  :  s  s  -  • 

<*  xe  xill  just  tike  pemtext  is  i  string,  so  there  is  no  need 
<*  to  hive  i  sepirite  type  for  it 

<>*:  :  s  t  t  -  s  • 

(*  Definitions  of  heider  structures  >«) 

<*  Define  the  mossige  typos.  *) 

Yil  posrtypos  s  define_type 
<nimes'  'pomtypos", 

fixitiost[Pref  ix.  Prefix, Prefix, Prof  ix.Prefix], 
type.spec  s  ‘pentypes  t  ZDCRYPTED  I  KIC.DFLY  I  IIC^CLRAR 
I  CRL  I  CRL.RETRIEVAL.REIlTrEST*); 

Yil  pemtypes_IHDDCT  s 

siYe.thmC 'pomtypos. IlIDUCT',proYo. induct ion.thn  pemtypes); 

Yil  pemtypes.DISTIHCT  s 

siYe.thm<‘'peiirtypos.DISTIICT',proYO.  constructors. distinct 

pemtypes); 

Yil  pomtypos. CASES  ‘ 

siYo.thmC'pemtypes. CASES",  proYe.cises.thm  pemtypes.IBDDCT); 


sue) 


<*:  t  :  5  t  s  *  * 

<*  The  Proc.type  field  his  txo  subfields.  The  first  is  i  number  *) 
identifying  the  Yorsion  of  PEI.  The  second  identifies  the 
<*  type  of  security  used. 

<*  Define  the  subset  of  piirs  *) 

Y4.1  is,proctyp0  5  nQTr.dQlinition 
<'*is.pioctyp0”, 

- - ‘ is .proctyp9(pxoctyp0 : (numtpemtypes )) 
c  <FST  pxoctyp©  ; 

idd.thQoxGms.to.sml  "pa.ix"; 

ShoTT  a.t  l9a.st  one  element  exists  in  the  type 
va.1  exists. pioctype  t  TAC.PRDDF< 

<  □  , C - - ‘ ?x : (nunfpemtype s ) . is .pioctype  x‘ - - ) ) , 

EXISTS. TJLC  <--‘<4,ElICRYPTED)‘--) 

TKEH  REmRITE.TAC  [is.pxoctype.FST]) ; 

Yil  pxoctype.TY.PEF  t  nex.type.def initionO'pxoctype”, 

C--* is. pioctype'--), exists. pioctype); 

Yil  pxoctype.ISD.DEF  t  del ine.nex.type.bijections 

"pioctype. IS D.DEF"  ’Tioc.Type"  "REP .pioctype"  pxoctype.TY.DEF; 

Yil  REP  .pioctype.  IITVERTS  s 

3iY0.thm("REP.pxoctype.IEYERTS",CD5mCTJ  pxoctype.ISD.DEF); 

Yil  REP .pioctype. DUE. DIE  i 

siYe.thmC’REP .pioctype. DUE. DIE", piove.iep.fn.one.ono 

pxoctype.ISD.DEF) ; 

Yil  REP .pioctype. DITD  t 

siY0-thm<' ‘REP. pioctype. DRTD' pioYe.iep.ln.onto 
pxoctype.ISD.DEF) ; 
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Yil  ABS.proctype.IIVEBTS  s 

siYB.thmO'ABS.proctypa.UVmS",  C0I:toCT2  pioctype.ISD.IEF); 

Yil  iBS.proctype.OIE.aiE  s 

s>-Ye.thm<"iBS.proctypa.niZ.QHZ",pioY8.>.b3.fii.oii8.one 

pioctyp8.lSD.DEF): 

Yil  JLBS.proctype.DlTTD  : 

SJ.Ye.thmO'ADS.pToctype.OrTD'‘,  proYe.tbs.ln.onto 
proctype.ISO.DEF); 

(“t  t  :  c  i  t  s  s 

<*  Definition  of  contentdescrlp  ») 

Ytl  contentdascrlp  :  dafine.typa 
{nuie  s  "contentdascilp", 
fixities  s  [Prefix], 
type.spec  s  ‘contantdesctlp  t  RFC8J2‘): 

Yi.1  contentdescrlp.lEDDCT  s 

s>.Ye.tlim<''contentde3crlp.IEDFCT',pxoYe.lnductlon.thn 

eontentdescrlp): 

Yi.1  eontentdescrlp. CASES  t 

3>.Ye.tbB<'  'cont  entdesctlp.CASES'  proYe.cts  es  .tluj 
cont  entdes  crip.  ODDCT) ; 


<>•«  «  5  5  s  s  s  t  t») 

<»  Definition  of  contentdomiln  *) 

Y3.1  contentdonrln  t  define. type 
^nuie  s  ''contentdontln”, 
fixities  5  [Prefix], 

type.spec  s  ‘ cont entdomrln  t  Content.Doiu.ln  of 
cont  entdes  crip ‘ ) ; 

Yil  contentdoiu.ln.lIDUCT  s 

stYe.thmC'  'cont  entdomt  In.  lIDDCT",proYe. Induct  Ion. tlua 
contentdomtln); 

Yxl  contentdoBtln. CASES  : 

siYe.thmC'contentdoiuln. CASES",  proYB.c«.5Bs.thm 
cont  entdoatln. IHDUCT) ; 

s  t  t  t  t  s  s  :*) 

<*  Definitions  of  ilgld  *) 

Yi.1  ilgld  s  deflne.type 
<nuie  :  "ilgld", 

fixities  :  [Prefix,  Prefix,  Prefix,  Prefix,  Prefix,  Prefix], 
type.spec  :  ‘ilgld  :  DES.CBC  I  DES.EDE  I  DES.ECB  I  HSA 
I  BSA.ID2  I  ESA.IDS'}; 


Yil  ilgld.  UDDCT  t 

siYB.thmC 'ilgld. IHDDCT ',pxoYe. induction. tlm  ilgld); 

Yil  ilgid.DISTIB'CT  : 

3iY8.tha("ilgid.DISTIICT',pTOYe.  constructors  .distinct  ilgld); 
Yil  ilgid.CASES  5 

siYe.thmC'ilgid.CASES",  proYe.cises.thm  ilgid.UDBCT) ; 
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:  s  t  5  i  i  =*) 

<»  Tiizs  dekpuimeters  --  juat  16  hex  chiricteia  ioi  «i  initixliiition 
Yectoi  >») 

YJ.1  IV  :  define. typo 
inuie  t  “IV", 
fixitioa  :  [Prefix], 
type.apec  :  ‘IV  a  IV‘); 


<»:  t  a  a  5  a  a  a  t*) 

Definition  of  dekinfo 

Yil  is.dokinfo  a  nex.dof initionC'ia.dokinfo", 

(--‘ia.dokinfoCxiCilgidtIV))  a  <FST  i  a  DES.CBC)*--)); 

Yil  oxiata.dekinfo  a  TAC.PRDDF< 

<□  ,<--‘ti..i3.dolcinfo<j.)‘--)), 
mSTS.TAC  <--‘<DES.CBC,IV)‘--)  THES 
REimnE.TAC  [ia.dekinfo.FST]): 

Yil  dokinfo.TY.BEF  a  net.type.dof initionC'dekinfo", 
<--‘i3.dokinfo‘--),oxi3t8.do)cinfo>! 

Yil  dokinfo.ISD.DEF  adof ine.nox.typo.Pijettiona 

"defcinfo.ISD.DEF'  "DEE. Info"  "REP .dekinf o"  dekinfo.TY.DEF; 

Yil  REP.dekinfo.HVERIS  a 

3J.Y0.thm<"REP.dekinfo.IIVERIS",CDBJUSCTl  dekinfo.ISD.DEF); 
Ytl  REP.dekinfo.OIE.DIE  a 

3a.Yo.thm("REP.dekinfo.DIIE.niE",proYe.xep.fn.one.one 

dekinfo.ISD.DEF); 

Yil  REP.dekinfo.DEID  a 

3j.Ye.tlm<' 'REP. dekinfo. DFID",  pxoYe.xop.fn.onto 
dekinfo.ISD.DEF) ; 

Yil  ABS.dekinfo.HVERTS  a 

3j.Y0.thm<"ABS.dekinfo.IHVERIS",  CDUTOCTS  dekinfo.ISD.DEF); 
YXl  ABS.dekinfo.DIE.DIE  a 

8j.Ye.thm<"ABS.dokinfo.DBE.DIE",pioYe.ib3.fn.onB.one 

dekinfo.ISD.DEF); 

Yil  ABS.dekinfo.DHID  a 

3j.Ye.thm<"ABS.dekinfo.DrrD",  pxoYo.ibs.fn.onto 
dekinfo.ISD.DEF); 


(*;  ;  a  a  a  a  a  a  a*) 

(*  Definition  of  coxtificite  *) 

<*  coxt  -  fike  it  fox  not  s.3  a.  atiing  *) 

Ytl  certificate  a  define.type 
iname  a  "certificate", 
fixities  a  [Prefix], 

type. spec  a  ‘certificate  a  Certificate  of  string*); 

<*  since  *e  don’t  really  use  certificate  right  nox,  xill  jsut  *) 
<>*  leaYe  it  here  -  4/18/96  *) 
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<*  Definition  of  ID  Asymmetric  *) 

id, Asymmetric  -  f  tfce  it  for  nor  as  a  string 
YAl  id. Asymmetric  :  define, type 
inAme  :  "id.Assymmetric", 
fixities  ;  [Prefix] , 

type.spec  t  ‘id. Asymmetric  t  ID.Asymmetric  of  string' }j 


i;*:  :  t  :  c  s  :  s  :*) 

<*  Key- Info  *) 

this  is  the  per-messAge  encrypted  by  OACh  recipient’s  public  key  >«) 

YAl  is.Key.info  sner.def inition 

<"is .Key. info",  (--‘is.Key.inio<x:Algid#3tring)  t 

(»  AsymsgKey  »> 

<F3T  x)  :  ESA‘--)); 


YAl  exists.Key.info  s  TAC.PBDDF< 

‘ tx : Algidistring .  i3.Key.info<x> ‘ , 

<*  AsymsgKey  *) 

EXISTS. TAC  <--‘<RSA,"Abced”)‘--)  THEff 
<*  AsymsgKey  *) 

BEliEITE.TAC  [is.Key.info,  FST,  SSD]); 

YAl  Key.info.TT.DEF  5  nex.type.dof initionO'Key.info", 

‘ is. Key.info‘-->, exists. Key. info); 

YAl  Key. info. ISD.DEF  s  define. ner.type.bijections 

"Key.info.ISD.DEF"  "Key.Info"  "EEP. Key. info"  Key.info.TY.DEF; 

YAl  REP.Key.info.IEVEBTS  s 

s  AYe.thmC  'REP  .K  ey  .  inf  o.  UVERTS”,  C  DS7DRCT1  K  ey.  info.  ISD.DEF); 

YAl  REP.Key.info.DSE.DIE  5 

SAYe.thm<"REP.Key.info.DIE.DHE",proYe.rep.fn,one.one 

Key.info.ISD.DEF); 

YAl  REP.Key.info.DETD  s 

SAYe.thmO'REP.Key.info. DETD",  proYe.rep.fn.onto 
Key.info.ISD.DEF); 


YAl  ADS.Key.info.IITVERTS  ; 

SAYe.thmC'ABS.Key.info.IEVERTS",  C0BJTOCT2  Key.info.ISD.DEF); 

YAl  ABS.Key.inf o.DHE.OHE  s 

s  AYe.  thmCAB  S.  K  ey.  info.  DUE.  DUE",  proYe.Abs.fn. one.  one 
Key.info.ISD.DEF); 


YAl  ARS.Key.info.DHTD  s 

SAYe.thmC  'ADS.Key.info.DHTD",  proYe.Abs.fn.onto 
Key.info.ISD.DEF); 


t  :  :  s  :  ;  t  :*) 

Definitions  for  origflds  --  just  Asymmetric  for  nor  >*) 

Asymmid  -  it’s  either  a  certificAte  or  id. Asymmetric  *) 

YAl  origid.Asymm  s  define.typo 
<nAme  s  "origid.Asymm", 
fixities  s  [Prefix, Prefix]  , 

type.spec  ~  ‘origid.Asymm  ~  certificAte  I  id. Asymmetric' ) ; 

<*t  5  s  :  s  ;  :  :  ;*) 

<*  Definitions  for  IlC.info  *) 
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Yi.1  is. lie. info  snoY.definition 

<"is. lie. info",  <--‘is.Iie.iiLfo<x:ilgid#ilgid#3tiiiig)  c 

<»  isyms ignmic  *) 

«<rST  f)  :  RSA.IBI)  \l  <<FST  x)  t  ESA.HBS))  l\ 

((CFSKSm  X))  :  BES.EBE)  W  ((FSKSHD  x»  :  BES.EeB) 

\l  «F3T<SEB  X))  :  RSA))‘--))! 

YJ.1  exists. Hie. info  ~  TAe.PRDDF< 

<n ‘txzilgidtilgidistring.  is.Iie.infoCx)*--)), 

<»  isymsignsic  ») 

EXISTS.IAe  <--‘<RSA.IB2,BES.EBE,''ibced")‘--)  IHEH 

(»  xsynsignBic  *) 

REifRITE.TAe  [is. Hie. inf o,  F3T,  SHBD); 

Yil  Iie.info.Tf.BEF  s  nex.type.def initionO'Iie.info", 

‘ is. Iie.info*--) .exist s.Iie.info); 

YAl  Hie.info.I3n.BEF  s  def ine.nex.type.bijections 

"Hie.info.ISD.BEF”  "Hie. Info"  "REB .HIC.info"  HIC.info.TY.BEF; 

Yil  REP .Hie. info. IHVERT3  s 

siYe.thm<"EEP.Hie.info.IHVERIS",CDHJBHCTl  Hie.info.ISD.BEF)! 

Yll  REP.HIC.info.DHE.DITE  s 

S8.Ye.tlim<"REP.Hie.iiifo.0HE.niE",piOYe.rep.fn.onB.onB 

Hie.info.ISD.BEF); 

Yil  REP.Hie.info.DHTD  s 

siYB.thmC  'REP  .Hie .  info.  DFID' proYB.iBp.f n.onto 
Hie.info.ISD.BEF); 

YJ.1  ABS.Hie.info.IIYERTS  5 

sjYB.thmC'ABS. Hie. info. UrVERTS",  CDHJDICTS  Hie.info.ISD.BEF); 

Yjl  ABS.HIC.info.DFE.DHE  : 

sjYe.tlmC'ABS. Hie.  info.  DIE.  DIE", piOYB.jbs.fn.onB.onB 
Hie.info.ISD.BEF); 

YJl  ABS.Hie.info.DETD  : 

s JY0.thm<'  'AB S.HIC . info. DHTD",  proYB. jbs .f n.onto 
Hie.info.ISD.BEF); 

<Hi;  5  ;  5  s  t  t  s  c*) 

<*  issuer’s  ceitificjte  *) 

<*t  :  s  :  ;  s  ;  t  s*) 

(.*  recipient  informjtion  *) 

<*  j  recipient  informjtion  is:  <id. jsymmetrictEey.info),  *) 

(.*  Jll  recipient  informjtion  is:  (id.jsymmetrictHey.info)  list  *) 


close.theoryO; 
export. theoryO; 


77/78 


Appendix  C 

PEM_DEFINITIONS 


C.l  pem_definitions.theory 

Tieoiy:  pem.dal initions 

P  Hants: 

pam.syntvx 

Typa  constants: 


Tam  constants: 

msgracaiYar  (Pralix)  : string 
recipiantkay  (Praiix)  :  string 

sBES.EDE  <Praiix)  :string  -)  string  ->  string  ->  bool 

sDES.ECB  (Prafix)  :string  -)  string  -»  string  ->  bool 

sRSA  <Prarix)  :string  ->  string  -I  string  ->  bool 

fRSA  <Pralix)  :string  ->  string  ->  string 

rRSA.nS  CPreiix)  : string  ->  string 

IRSA.HIB  (Pralix)  :string  -I  string 

fDES.CBC  (Prafix)  :string  ->  string  ->  IV  ->  string 
get.Iay.fron.ID  (Prafix)  :id.isymnatric  ->  string 
gat.BEK. algid  (Prafix)  :da)tinfo  ->  algid 
gat  .REE.  IV  (Prafix)  :daltinfo  ->  IV 

msg.Encrypt.salact  (Prefix)  :defcinfo  ->  string  ->  string  ->  IV  ->  string 
get .Recipient  (Prefix) 

:string  list  ->  (id.asynaetric  •  string)  list  ->  id.asynmetric  *  string 

get.Recipient.fcey  (Prefix)  : id. asymmetric  #  string  ->  string 

get.Recipient.asylB  (Prefix)  : id. asymmetric  t  string  -)  id.asymmetric 

get.IIC. algid  (Prefix)  :IIC.info  -)  algid 

get.IIC.sigalgid  (Prefix)  :IIC.info  -»  algid 

get.HIC.mic  (Prefix)  :IIC.info  ->  string 

IlC.hash.select  (Prefix)  :IIC.info  -»  string  -»  string 

IlC.sign.select  (Prefix)  :IIC.info  -»  string  -»  string  -»  string  -)  bool 

get.KEY.algid  (Prefix)  :Key.inlo  ->  algid 

get.KEY.asymsgEey  (Prefix)  :Eey.info  ->  string 

DEE. encrypt. select  (Prefix)  :Eey.info  -»  string  -»  string  ->  string 
is  .Privates  (Prefix) 

: (string  ->  string  ->  IV  ->  string)  -»  string  -»  string  ->  IV  ->  string  -» 
bool 

is.PxiviteP  <Pr0iix) 

:(string  -)  string  -)  string)  -E  string  -»  string  ->  string  ->  bool 
is. Authentic  (Prefix) 

: (string  ->  string  ->  string  ->  bool)  ->  string  -»  string  ->  string  ->  bool 
is.Authentici  (Prefix) 

: (string  -)  string  -»  string  ->  bool)  ->  (string  -)  string)  ->  string  -I  ■ 
string  -)  string  ->  bool 
is. Intact  (Prefix) 

:(strlng  ->  string  ->  string  -)  bool)  ->  (string  -»  string)  -»  string  -> 
string  -)  string  ->  bool 
is.non.deniable  (Prefix) 
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lustring  -»  string  ->  string  ->  bool>  ->  string  ->  string  -)  string  ->  bool 
Axioms : 


Definitions: 

got.DES.ilgid  I-  !x.  get.DEE.ilgid  x  t  FST  (EEP.dokinfo  x) 
get. DEE. IV  I-  !x.  get. DEE. IV  x  t  SSD  (BEP.dekinfo  x) 
msg. Encrypt .select 

I-  :x. 

msg.Encrypt.select  x  t 

((get.DEE.ilgid  x  t  DES.CBO  t>  fDES.CDC  I  fDES.CBC) 
get. Recipient. key 

I-  irecipient.  get. Recipient. key  recipient  s  SHD  recipient 
get . Recipient. isylD 

I-  irecipient.  get. Recipient. isy ID  recipient  t  FST  recipient 
get.IIC.ilgid  I-  !x.  get.IIC. Algid  x  t  FST  (REP.IIC.info  x) 
get.EIC.sigilgid  I-  !x.  get.HIC.sigilgid  x  5  FST  (SBD  (REP.IIC.info  x)) 
get.HIC.mic  I-  !x.  get.IIC.nic  x  t  SID  (SID  (REP.IIC.info  x>) 
IIC.h3.Sh«ddlQCt 

I-  !x, 

lIC.h^dh.5dl9Ct  X  i 

(Cget.IIC.ilgld  X  i  RSA.IC2)  1BSA.ID2  I  iRSA.IDB) 
IlC.sign.sdldCt 
I-  !x. 

lIC.sign.solGCt  X  • 

<<get.IIC.3isil5id  x  5  DES.EDE) 
sDES.EDE 

I  <(:g9t.IIC.3isilsid  X  t  DES.ECB)  t)  sDES.ECB  I  sRSA)) 
gGt.KEY.ilgid  I-  !x.  get.KEir.a.lgid  x  t  FST  <REP.K0y.irtf o  x) 
g0t.KEY.a.sym3gK0y  !x.  got.KEY.isymsgKoy  x  «  SITO  (REP.Koy.info  x) 

D  EK . 0n crypt . s  0 1 0  ct 

I-  !x.  DEK.0ncrypt.50l0Ct  x  t  ((gQt.KEY.ilgid  x  t  RSA)  t>  fRSA  I  fRSA) 
is.PxivitoS 

I-  !d0cryptS  nGssig©  rxmsg  docryptlV  fc©y. 

is.PxivitoS  docxyptS  mossig©  xxasg  docxyptIV  JcGy  t 
docxyptS  xxmsg  IcGy  docxyptIV  t 
ai0ssa.g0 
is.PiivitoP 

I-  !d0cxyptP  nossigo  xxmsg  dkoy, 

is.PiiYitoP  dociyptP  mossigo  xxmsg  dXoy  t 
docxyptP  xxmsg  dXoy  t 
m9ssa.g0 
is.Authontic 

I-  Svoxify  mossigo  signituxo  ofcoy, 

is.Authontic  voxify  moss^g©  signitux©  ©Icoy  t 
Y0rify  mossigo  signitux©  ©koy 
is.Auth0ntic2 

I-  !Y0xify  hish  m0ssa.g0  mic  ©fcoy. 

is.Auth9ntic2  Yoxify  ha.sh  moss^g©  mic  ©key  t 
YQxify  <ha.sh  messig©)  mic  ©X©y 
is.Inta.ct 

I-  lYQxify  ha.sh  m©ssa.g©  mic  ©X©y. 

is.Inta.ct  Yoxify  ha.sh  m©ssa.g©  mic  eXey  t 
Ydxify  <ha.sh  mossige)  mic  ©Xoy 
is.non.denia.bl0 

I-  !Y©xify  m9ssa.g©  signaitui©  ©key. 

is.non.d©nia.bl©  Y©rify  m©s5a.g©  signa.tux©  ©key  t 
Yexify  m©ssa.g©  signa.tux©  ©key 


Theorems : 

is.PxiYa.t0.DEK 

I-  idecxyptP  ©ncxyptP  m©ssa.g0  txmsg  xxmsg  ©key  dKEYO  dkey. 
(xxmsg  t  txmsg)  st) 


80 


C.l.  PEM-DEFINITIONS.THEORY 


<txmsg  =  enoiyptP  messige  elcey)  ts> 

Cmsg.  decryptP  (QnciyptP  mag  akoy)  (KEVO  :  msg) 

CdeciyptP  (enciyptP  msg  ekay)  dl  a  msg)  aa>  <d2  a  dJEyO))  aa> 

<<dkey  a  dEEYO)  a  is.PiivitaP  daciyptP  massige  ixmsg  dkey) 
is  «PriY3.ii  Q.Bisg 

[-"■decrypts  encrypts  message  txmsg  rrmsg  decryptIV  lEYO  key. 

<rxm3g  a  trmsg)  a:) 

(txmsg  a  encrypts  messige  EEYO  decryptIV)  aa) 

<!m5e  )c0Y.  s  ji 

(dQcryptS  (encxyptS  msg  key  decxyptIV)  k9y  dQCxyptIV  t  msg)  /\ 

'^'(dic^yp^S  msg  keyl  decryptIV  a  decrypts  msg  key  decryptIV)  a 
key  a 

C<lcey  i  lEVO)  *  is.PxiviteS  decxyptS  messige  ixmsg  docxyptIV  key) 
is.Authentic.ID 

I-  ‘Yexily  sign  message  txmsg  ixmsg  ekoy  dKEYO  dkey. 

(ixmsg  t  txmsg)  ss) 

(txms/r  t  sign  M  dkey)  tt)  » 

<!msg.  veriiy  msg  (sign  msg  dkey)  efcey  a  dkey  a  dSEVO)  at* 

((dkey  a  dEEYO)  a  is. Authentic  Yerily  ID  rxmsg  ekey) 
is.Authentic.msg 

I-  ! Yerily  sign  hish  messige  txmic  rxmic  ekey  dKEYO  dkey. 

(rxmic  a  txmic)  as) 

(txmic  a  sign  (hish  messige)  dkey)  at)  ... 

(!ml  mS  dkeyS.  Yerily  ml  (sign  m2  dkey2)  ekey  a  dkey2  a  dKEYO)  •• 
((dkey  a  dEEYO)  a  is.Authentic2  Yerily  hish  messige  rxmic  ekey) 

is.Intict.msg  .  .  . 

I-  lYerily  sign  hish  txmessige  rxmessige  txmic  rxmic  ekey  dkey. 

(txmic  a  sign  (hish  txmessige)  dkey)  as) 

(xxmic  5  txmic)  t;) 

(!ml  m2,  (hish  ml  a  hish  m2)  at)  (ml  a  m2))  a.) 

Csl  s2.  Yerily  si  (sign  s2  dkey)  ekey  a  si  a  52)  at) 

((rxmessige  t  txmessige)  t  is.Intict  Yerily  hish  rxmessige  rxmic  ekey) 
is.non.deniible.msg  _  ...vn  .iv™ 

1-  lYerily  sign  hish  messige  lESSASEO  txmic  rxmic  ekey  dEEYO  dkey. 

(xxmic  t  txmic) 

(txmic  5  sign  (li5.slv  lESSJKiEO)  dkey)  ‘‘t 
(■ml  m2,  (hish  ml  ;  hish  m2)  5  ml  s  m2)  ‘‘i 

'''verSy'^/(sign  m2  dkey2)  ekey  a  (ml  a  m2)  i\  (dkey2  a  dlEYO))  at) 
((dkey  a  dSEYO)  i\  (messige  a  IESSA6E0)  a 
is.non.deniible  Yerily  (hish  messige)  rxmic  ekey) 
not.  Authentic 

I-  : Yerily  sign  hish  EESSASEO  txmic  rxmic  ekey  dKEYO. 

(txmic  a  sign  (hish  lESSAOEO)  dlEYO)  at) 

(!ml  m2.  Yerily  ml  m2  ekey  a  m2  a  sign  ml  dlEYO)  at) 

Cml  m2  dkeyl  dkey2. 

(sign  ml  dkeyl  a  sign  ml  dkeyl)  at) 

(ml  a  m2)  /\  (dkeyl  a  dkeyl))  at) 

'(rxmic  a  txmic)  at)  .  . 

"(is. Authentic!  Yerily  hish  IESSA6E0  rxmic  ekey) 

not.Intict  _ 

1-  iYerily  sign  hish  lESSASEO  txmic  rxmic  ekey  dlEYO. 

(txmic  a  sign  (hish  EESSASEO)  dEEYO)  --) 

(!ml  m2.  Yerily  ml  m2  ekey  t  ml  a  sign  ml  dJEYO)  -•) 

(■ml  ml  dkeyl  dkeyl. 

(sign  ml  dkeyl  a  sign  m2  dkeyl)  as) 

(ml  a  ml)  i\  (dkeyl  a  dkeyl))  at) 

'(rxmic  t  txmic)  at) 

'(is.Intict  Yerily  hish  lESSASEO  rxmic  ekey) 

is.deniible  . 

I-  iYerily  sign  hish  lESSASEO  txmic  rxmic  ekey  dSEYO. 


81 


PEM-DEFINITIONS 


<txmic  t  sign  (hish  IESSA8E0)  METfO)  t:> 

Cmi  mi.  YOTiiy  ml  m2  ekey  t  m2  s  sign  ml  dlEYO)  s:> 

Cml  m2  dksyl  dk8y2. 

(sign  ml  dkeyl  i  sign  m2  dfcayi)  ct> 

(ml  :  m2)  i\  (dkeyl  t  dkey2))  tt> 

'(ixmic  :  txmic)  :tl 

*(is.non.donij,ble  voiify  (hish  lESSABEO)  ixmic  ekey) 
get.BEI.ilgid.CASES  I-  tx.  get.DEI.ilgid  x  s  DES.CBC 
get  .IIC.lij.sliid. CASES 

I-  !x.  (get.EIC.ilgid  x  s  ESA.III2)  U  (gst.IIC.ilgid  x  i  RSA.HIB) 
get. lie. signid. CASES 
I-  !x. 

(get.lIC.sigilgid  X  t  lES.EBE)  \/ 

(get.IIC.sigilgid  x  t  BES.ECB)  1/ 

(get.IIC.sigilgid  x  t  RSA) 
get.ley.ilgid.CASES  I-  lx.  get.lEK.xlgid  x  £  RSA 


C.2  pem.deflnitions.sml 


(*  File: 

pem.def  init  ions .  smi 

£££££») 

>*> 

(*  Description: 

generil  functions  for  PEI 

*> 

(*  Bite: 

Sept.  13,  1936 

*) 

(*  Author: 

Shiu-Kii  Chin,  Dm  Zhou 

£££££»> 

(*  msgsender:  the  xctutl  sender  ol  the  messige  *) 
(*  Driginttor:  the  sttted  sender  in  the  message  >*) 
(*  Bsgreceiver:  the  ictuil  receiver  ol  the  message,  ») 
(*  the  one  thit  performs  PEI  services  *) 
(*  Recipient :  the  int  ended  recipient  of  the  mes  s  tge  »t) 
(*  verify:  tikes  msg,  signitnre,  ind  key  *) 
(»  messige:  pliin  text 

(*  msg:  ciper  text  *) 
(*  mic:  messige  integrity  code,  or  digitil  signitnre  *) 
(*  encrypts:  pliintext  -»  ekey  -P  IV  -»  ciphertext  *) 


nex.theory  "pem.definitions”; 

loid.librirydib  s  hol88.1ib,  theory  s 
open  Psyntix  Compit; 

nex.pirent  "pem.syntix"; 

idd.theory.to.sml  “pem.syntix"; 

vil  msgreceiver  s  nex.constint  (“msgreceiver", 

££‘:string‘:t): 

(»  the  privite  key  of  recipient  *) 

vil  lecipientkey  £  nex.constint  ("recipient key", 

££‘:string‘s£); 

vil  sDES.EBE  £  nex.constint 

(' 'sDES.EBE",  : s ‘ : string- ) str ing-> string-Pbool* ££) ; 
vil  sBES.ECB  £  nex.constint 

("sDES.ECB",  ££‘ :string-Pstring-Pstring-Pbool‘ ££) ; 
vil  sRSA  £  nex.constint 

('  'sRSA",  ££  ‘ : string-Pstring-Pstring-Pbool'  ££) ; 


82 


C.2.  PEM-DEFINITIONS.SML 


Yil  iRSA  :  I10X. const uit  <"iR3A".  :stxing->3tring->string‘tt) ; 

Yil  fRSA.mS  :  nox.constint  <"XRSA.IBi",  tt‘:3tring->3tiing‘55)i 
Yil  iHSA.mS  t  nex.constint  <"iRSA.III5”,  33‘:3tiing->stTing‘:s)! 

YJ.1  IDES.CBC  S  nex.constint  ("ADES.CBC, 

t:‘ : string-* 3tTing->IV-)3tring‘tt); 

Yil  get.Kdy.irom.ID  t  neir.constajit 

<' 'get .X ey.ixom. ID",  t i  ‘ : id. j.5yBniietxic-> stiing* ; 


;  5  S  t  t  •  •**) 

these  ire  the  ilgorith  ni  ind  IV  for  encrypting/decrypting  *) 
<*  messige 

Yil  get.DEK.ilgid  5  nex.definition  O'get.DEE.ilgid", 
(--‘get.REE.ilgid  <x:delcinIo)  s 
FSKREP.dekinlo 

Yll  get. DEE. IV  t  nex.dellnition  <"got.DEE.IV", 

<--‘get.DEE.IV  <x:delcinlo)  * 

SmCREP.dehinfo  xV--)); 

Yll  msg.Encrypt. select  s  nex.def inition  ("msg.Encrypt. select”, 
(--‘msg. Encrypt. select  <x:dekinfo)  s 

«get.DEE.llgid  x  s  DES.CBC)  s>  IDES.CBC  I  IDES.CBC)‘"»! 


Yll  got .Recipient  t  nox. const int  < 

"got .Recipient”, 

(string  list)  -) 

((id.isymmetrictstring)  list)  ->  (id.isyinietxictstring)‘ts); 


Yll  get .Recipient .hey  ~  nex.def inition  ("got.Rocipient.hey”, 

- - ‘ get .Rec ipient .hey  (recipient : id. isymaetr ictstr ing) 

5  SIB  recipient"--); 

Yll  get.Recipient.isylD  :  nex.def inition  (”get.RecipiBnt.isyID”, 
--‘get. Recipient. isylD  (recipient: id. isynaetricistring) 
s  FST  recipient"--); 


Yll  get.IIC.ilgid  5  nex.definition  C'get.IIC.ilgid”, 

(— ‘get.IIC.ilgid  (xzHIC.info)  t 
FSKREP .lie. info  x)‘— )); 

Yll  get.IIC.sigilgid  s  nex.definition  ("get.IIC.sigilgid”, 
(--‘get.IIC.sigilgid  (xilIC.info) 
t  FST(SID(REP.IIC.info  x))"--)); 

Yll  got.IIC.mic  s  nex.definition  ("get.IIC.nic”, 

(--‘get.IIC.mic  (xillC.lnfo) 

:  SBD(SID(REP. lie. info  x))"--)); 

Yll  lie .hish. select  t  nex.definition  (”lIC.hish.3elect”, 

(--" (lie. hish. select :HIC. inf o-><3tring->string)) 
(xrlIC.info)  s 

((get.IIC.ilgid  X  5  RSA.ID2)  t»  fRSA.IDJ  I  fRSA.IDS)"  — )); 

Yll  IlC.sign.select  t  nex.definition  ("EIC. sign. select”, 
(--‘(HIC.sign. select: 

IIC.info-><3tring->string->strlng->bool)) 
<x:IIC.info)  t 

((get.IIC.sigilgid  x  t  DES.EDE)  t>  sDES.EBE  1 
((get.IIC.sigilgid  x  :  DES.ECB)  s>  sDES.ECB  I  sRSA))"--)): 


83 


PEM^DEFINITIONS 


<*  oncrypted  BEK  inioimit ion 

va,l  g0t.KEY.a.lgid  ;  nex.dsfinition  C'gst.KEY.ilgid", 
<--‘g0t.KEY.agid  <x:K0y.inlo)  t 
FST<HEP.K0y.inYo 


vil  g0t.KEY.a.sym3gK0y  t  nos.dof inition  O'got.KEY.SLsymsgKoy”, 
<--‘g0t.KEY.j.3yiiisgK0y  <x:K0y.inlo)  t 
Sin)<REP.K0y.inio  x)‘--)); 


Yil  BEK.0ncrypt.30l0ct  t  nox.doiinition  OTEK.onciypt.soloct", 

<--‘<BEK.0ncTypt.s0l0ct:K0y.inio->(stiing->3trin£:->strinr)) 

<x:K0y.inio)  s  ^  o  a 


«g0t.KEY.agid  X  t  K3A)  s> 

<**-  *  -  t  5 

<*  Eoy  convontion: 

<*  in  public  Kdy  ciyptogr a.phy : 
<* 

<*  in  S0ci0t  kay  cryptognphy : 
<*  torn  convontion: 


iRSA 

1  YSSA)*-)); 

t 

t  t 

t>^t> 

*> 

ekey: 

public  key 

dfcey: 

pxiYate  key 

key, 

ekey,  dkey:  same 

thing  >♦:> 

■*> 


<*  HIC:  a.  Yix0d-l0ngth  quantity  gunuxatud  ciyptogiaphically  )*) 
<*  and  associat0d  nith  a  mussago  to  roassuro  tho  locipiont  that  ») 
<*  th0  m033ag0  is  gunuinu 

<*  digital  3ignatux0:  samo  Yor  IIC,  in  public  key  caso 

<*  signatuiu:  a  quantity  asocited  nith  a  mossago  nhich  only  *) 

<»  somoono  nith  Jaionludgu  oY  youi  privato  koy  could  havo  *> 

(*  gonoiatod,  but  nhich  can  bo  voxiYiod  thxough  knonlodgo  oY 
(*  youx  public  koy 


<*  iY  you  can  xotxioYo  tho  oxiginal  mossago  by  docxyption,  thon  *) 
C*  you  iTQ  thQ  intondod  xocipiont  >4.^ 

val  is.PxiYatoS  :  non.doYinition  ("is.PxiYatoS”, 

<--‘i3.PxiYat0S 

(docxyptS:  stxing  -)  stxing  ->  IV  -Istxing) 

(mossago:  stxing)  <*  plain  toxt  ») 

<xxmsg:  stxing)  <*  ciphex  text  *) 

(docxyptIV:  IV) 

(key:  stxing)  ; 

(docxyptS  xxmsg  koy  docxyptIV  s  message)'--)); 

Yal  is.PxiYateP  s  non.doYinition  O'is.PxivatoP", 

(--‘is.PxiYateP 

(decxyptP:  stxing  -)  stxing  -Kstxing) 

(message:  stxing)  <*  plain  text  ») 

(xxmsg:  stxing)  (*  ciphex  text  •») 

(dkey:  stxing)  s 

(decxyptP  xxmsg  dkey  ;  message)*—)); 


<*  is . Authent ic :  iY  I  can  check  the  signatuxe,  then  only 
(*  the  pexson  nho  knots  the  pxiYato  koy  could  hate  sirned 
(*  the  text  ° 

Yal  is. Authentic  :  nen.doYinition  ("is.Authentic", 

(--‘is. Authentic 
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(verily:  string  -)  string  ->  string  -I  bool) 
(messa-ge:  string)  C*  pliin  text  >t) 
(signature:  string)  <»  signituro  ol  mossigo  *) 
<o)cey:  string)  t 

verily  messige  signiture  ekey‘--)); 


<*  is.AuthenticJ:  il  I  cm  check  the  digitil  signature  ol  i  *) 
<*  nessge,  then  only  the  person  vho  knoxs  the  private  key  could  *) 
hive  signed  the  text 

vil  is.AuthenticS  s  nek. del in it  ion  ("is.Authenticl", 

(--‘is. Authentic! 

(verily:  string  ->  string  ->  string  -»  bool) 

(hish:  string  -)  string) 

(messige:  string)  (*  origina.1  plxin  text  *) 

(mic: string)  (*  received  signiture  ol  the  ID*) 

(ekey:  string)  : 

verily  (hish  messige)  mic  ekey*--)); 


(*  il  you  cm  verilying  the  signiture  ol  i  messige  digest, 
then  you  cm  be  sure  il  the  messige  is  intict 
vil  is.intict  s  nok.delinition  C'is.Intict", 

(--‘is.Intict 

(verily: string  -)  string  -)  string  ->  bool) 

(hish:  string  -»  string) 

(messige: string) 

(mic: string) 

(ekey: string)  s 

verily  (hish  messige)  mic  ekey*—)); 


(Ht  i  privite  key  uniquely  identilies  kith  i  principil 
(*  so  il  the  messige  is  signed  kith  m  dkey,  then  only  the 
(»  okner  ol  dkey  kould  hive  signed  it 

Vil  is.non.deniible  s  nek.delinition  ("is.non.deniible", 
(--‘ is.non.deniible 

(verily:  string  -)  string  -»  string  ->  bool) 
(messige:  string)  (*  originil  pliin  text  *) 
(signiture: string)  received  signiture  ») 

(ekey:  string)  : 

verily  messige  signiture  ekey‘ — )); 


close.theoryO; 
export. theoryO ; 


(x  prove  the  property  is .privite 

(*  the  per  messige  key  is  secure 
(*vil  is.Privite.DES  5 

I-  idecryptP  encryptP  messige  txmsg  rxmsg  ekey  dKlYO  dkey. 

(rxmsg  5  txmsg) 

(txmsg  s  encryptP  messige  ekey)  ts> 

(!msg.  decryptP  (encryptP  msg  ekey)  dlEYO  t  msg) 

(imsg  d5.  (decryptP  (encryptP  msg  ekey)  d!  t  msg) 
so  (d!  5  dEEYO))  S5> 

((dkey  s  dEEYO)  :  is.PriviteP  decryptP  messige  rxmsg  dkey) 

*) 


Vil  is.Privite.BEE  t  prove.thm  C'is.Privite.DEK", 
( - - ‘ : (d  ecryptP : string- ) string- »  string) 
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(enciyptP : string- ) 5tring-> string) 

(messige:  string)  <*  pliintaxt  *) 

<txmsg: string)  <»  ciphertext  ») 

<rMisg:  string)  <*  ciphertext  *) 

<elcey:  string) 

(dlEYO:  string) 

<clkey:  string). 

(rxmsg  :  txmsg)  ;:) 

(txmsg  t  encryptP  messige  ekey)  ttl 

<!nsg.  (decryptP  (encryptP  msg  ekey)  dSEYO)  t  msg) 

<!msg  d2.  ((decryptP  (encryptP  asg  ekey)  d2)  s  msg) 

"»  (d2  :  dJEYO))  ts) 

((dkey  s  dXEYO)  ~  is.PriYiteP  decryptP  message  rxmsg  dkey)‘--) 
BEPEAT  SEI.TAC  TKEF 

DISCH.THES  (in  th  s|  EEimiTE.TAC  [th,  is.PriviteP])  THEI 
BISCH.THEI  (in  th  t)  BEIIEITE.TAC  CtU)  THEI 
DISCH.THEff  (in  th  5»  ASSniE.TAC 

(SPECL  C--‘messige:string‘--]  th))  7HEF 
BISCH.THEJ  (in  th  s)  ASSITIE.TAC 

(SPECL  C--‘messige:string‘”,  "‘dkey:string‘--]  th))  THEE 
Eq.TAC  THEHL 

[DISCH.THEI  (in  th  S)  BEirBITE.TAC  [th])  THEE 
ASI.EEimnE.TAC  D. 

PEBE.OECE.ASl.EEHEITE.TAC  □])! 


(*Y>.1  is.PriYj.te.msg  s 

I-  idecryptS  encrypts  messige  txmsg  rxmsg  decryptIV  EEYO  key. 

(rxmsg  t  txmsg)  ts) 

(txmsg  t  encrypts  me3sj.ge  KEYO  decryptIV)  st» 

Cmsg  key. 

(decrypts  (encrypts  msg  key  decryptIV)  key  decryptIV  :  msg) 
/\  (!msg  keyJ.  (decrypts  msg  keyl  decryptIV 

s  decrypts  msg  key  decryptIV)  t  key  ;  keyl))  t:> 

((key  5  keYO) 

:  is.PriYiteS  decrypts  messige  rxmsg  decryptIV  key) 


Yil  is.PriYj.te.msg  - 

proYe.thm  ("is.PriYj.to.msg‘, 

(--‘KdecryptS:  string  ->  string  ->  IV  ->  string) 

(encrypts:  string  ->  string  ->  IV  -»  string) 

(messige:  string)  (*  plj.intext  *) 

(txmsg:  string)  (*  ciphertext  ») 

(rxmsg:  string)  (*  ciphertext  ») 

(decryptIV:  IV) 

(KEYO:  string) 

(key:  string). 

(rxmsg  5  txmsg)  :s> 

(txmsg  5  encrypts  messj.ge  KEYO  decryptIV)  ttj 
Cmsg  key.  (decrypts 

(encrypts  msg  key  decryptIV)  key  decryptIV  t  msg)  t\ 
!msg  keyl.  ((decrypts  msg  keyl  decryptIV 

5  decrypts  msg  key  decryptIV)  t  key  t  keyl)) 

((key  :  KEYO)  : 

is.PriYj.teS  decrypts  messj.ge  rxmsg  decryptIV  key)'--), 
REPEAT  OEE.TAC  THEE 

IISCH.THEE  (in  th  :»  REinOITE.TAC  [th,  is.PriYiteS] )  THEE 
BISCH.THEE  (in  th  s>  aEliRITE.TAC  [th])  THEE 
DISCH.THEE  (in  th  5>  HP.TAC 

(SPECL  [--‘nessj.ge:  string'--,  —'KEYO:  string'--]  th))  THEE 
BISCH.THEE  (in  th  s>  ASSEIE.TAC  (CDEJTJECTl  th)  THEE 
HP.TAC  (SPECL 

[—'(encrypts:  string  -»  string  ->  IV  -»  string) 
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message  KEYO  decrypt IV 

-- *]cey: string* "■]  (CDHJTWCT2  th)))  THZ5 
BISCH.THHT  <in  th  s>  ASSmffi.TAC  th)  TMET 
Eq.TAC  THEIL 

DISCH.TKEH  <in  th  :>  ASI.BEinilTE.TAC  [th]), 
innilSCH.TAC  <--‘<decryptS:  string  -)  string  ->  IV  -)  string) 
(encrypts  message  EEVO  decryptIV) 
lEYO  decryptIV  s  messige*— )  THEI 
IISCH.TKEI  (in  thl  t»  (DISCK.THEI  (fn  thl  t»  ASSUIE.TAC  (liSYK 
(sraST  [((SSYI  thl),  --‘x:strlng‘--)] 

(--‘(decrypts:  string  -)  string  ->  IV  -»  string) 

(encrypts  (messige:  string)  KEVO  decryptIV) 

KEVO  decryptIVs  x*--)  thl)))))) 

IHES 

RES  .TAG  THEI 
ASI.REiiRITE.TAC  □]); 


(*  prove  the  property  is. Authentic  *) 

(*vil  is.Authentic.ID  t 

I-  iveriiy  sign  messige  txmsg  rxmsg  ehey  dlEYO  dkey. 

(rxmsg  s  txmsg)  ss> 

(txmsg  S  sign  KB  dhey)  st> 

(Smsg.  voriiy  msg  (sign  msg  dkey)  obey  t  dhey  *  dlEYO)  ts> 
((dhey  s  dEEYO)  t  is. Authentic  verily  KB  rxmsg  ehey) 

*) 


vil  is.Authentic.IB  t  prove.thm  C'is.Authentic.IB", 

( - -  * ! (verily : string- >  string- >string-»bool) 

( sign: s tring-> string- >string) 

(messige:  string)  (*  pliintext  *) 

(txmsg: string)  (*  ciphertext  ») 

(rxmsg: string)  (*  ciphertext  *) 

(ehey:  string) 

(dEEYO:  string) 

(dhey:  string). 

(rxmsg  5  txmsg)  tt» 

(txmsg  s  sign  IB  dhoy)  ssl 

(!msg.  verily  msg  (sign  msg  dkey)  ekey  s  dkey  s  dlEYO)  f-i 
((dkey  s  dEEYO)  s 

is.Authentic  verily  IB  rxmsg  ekey)*--), 

REPEAT  OEF.TAC  THEI 

BISCK.TKEH  (In  th  s>  REliRITE.TAC  [th,  is.Authentic])  THE! 
BISCH.THEI  (In  th  :»  REimiTE.TAC  [th])  THEI 
BISCH.THEI  (In  th  s»  ASSBIE.TAC 

(SPECL  [--*IB:string*--]  th))  THEI 
ASI.REiiRnE.TAC  □); 

(*  Assure  the  recipient  thit  the  sender  did  send  the  messige  ») 

(*  vil  is.Authentic.msg  s 

I-  Iveriiy  sign  hish  messige  txmic  rxmic  ekey  dEEYO  dkey. 

(rxmic  t  txmic)  so 

(txmic  S  sign  (hish  messige)  dkey)  5t» 

(!ml  m2  dkey2.  verily  ml  (sign  m2  dkey2)  ekey  s  dkey2  s  dEEYO) 
((dkey  s  dEEYO)  s  is.Authentic!  verily  hish  messige  rxmic  ekey) 

*) 

vil  is.Authentic.msg  ~  prove.thm  (''is.Authentic.msg", 

(-- * ! (verily : string-) string- ) string-lbool) 

(sign  :string->string-)string) 

(hish:  string-) string) 

(messige  : string)  (*  pliintext  ») 
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<txffiic  :  string)  digital  signature  >*) 

(rxmio  : string)  (>t  digital  signitnrG  Ht) 

(okay:  string) 

(dKEYO:  string) 

<dkey:  string). 

<rxmic  :  txmic)  t:) 

(txmic  t  sign  <hish  massige)  dkey) 

<!ml  m2  dkay2.  veriiy  ml  <sign  m2  dkayi)  ekay 
t  (:dkay2  t  dEEYO))  ttl 
«dkay  :  dFEYO)  : 

i3.Autliantic2  veriiy  hish  messiga  rxmic  Bkey)‘--), 

REPEAT  SES.TAC  THEH 

DISCH.THEI  <fn  th  :)  REliRm.TAC  [th,  i3.Authantic2])  THES 
DISCH.THEI  <rn  th  si  REirRITE.TAC  [th])  THES 
II3CH.THES  <rn  th  SI  ASSUIE.TAC 

‘;SPECL  C--‘<ha.3h:string->3tring)  (messiga: string)*--, 

- -  * (hish : string-l string)  (massiga: string) * -- , 

--‘dkey: string*--]  th))  THEE 
ASI.REHRnE.TAC  Q): 


<»s 


t>*) 


<*  is.Intict  Applied  to  i  massige,  ») 

<*Yil  is.Intict.msg  s 

I-  iverily  sign  hish  txmessige  rxmessige  txmic  rxmic  ekay  dkey. 
(txmic  s  sign  (hish  txmessige)  dkey)  ssl 
(rxmic  s  txmic)  $s) 

(!ml  m2,  (hish  ml  s  hish  m2)  ssl  (ml  s  m3))  ssl 
(isl  s2.  verify  si  (sign  s2  dkey)  ekey  s  si  s  32)  ssl 
((rxmessige  s  txmessige) 

s  is.Intict  verify  hish  rxmessige  rxmic  ekey) 


vil  is.Intict.msg  s  prove. thm  ("is.Intict.msg", 

--*! (verify: string  -1  string  -1  string  -Ibool) 

(sign: string  -1  string  -1  string) 

(hish:  string-l  string) 

(txmessige:  string  )  (rxmessige:  string) 

(txmic:  string)  (rxmic:  string) 

(ekey:  string)  (dkey:  string). 

(txmic  5  sign  (hish  txmessige)  dkey)  ssl 
(rxmic  :  txmic)  s:l 

Cml  m2,  (hish  ml  :  hish  m2)  ssl  (ml  s  m2))  :;l 

(!sl  s2.  verify  si  (sign  32  dkey)  ekey  -  (si  t  32))  t:l 

((rxmessige  s  txmessige)  ; 

is.Intict  verify  hish  rxmessige  rxmic  ekey)*  — , 

REPEAT  UES.TAC  THES 

riSCH.THES  (fn  th  51  HEiiRITE.TAC  [th,  is.Intict])  THES 
BISCH.THES  (fn  th  cl  HEimiTE.TAC  [th])  THES 
RISCH.THES  (fn  th  51  ASSUEE.TAC  (SPECL 

[(--*rxmessige:string*--),  (--*txme33ige:3tring*--)]  th))  THES 
nSCH.THES  (fn  th  51  ASSUIE.TAC  (SPECL 

[(--‘(hish: string-l string)  (txmessige: string)*--), 
(--*(hish:string-lstring)  (txmassigeistring)*--)]  th) 

THES  IP.TAC  th)  THES 
RISCH.THES  (fn  th  51  ASSUIE.TAC  (SPECL 

[(- -  * (hish : string-l string)  (rxmessige: string) *  - -) , 
(--*(hi3h:3tTing-lstring)  (txmessigB:3tring)*--)]  th))  THES 
Eq.TAC  THESL 

[RISCH.THES  (fn  th  51  REiiRITE.TAC  [th])  THES 
ASI.REmRITE.TAC  □, 

ASI.REirRITE.TAC  □]); 
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<*  prove  non-iepudij-tion 

<*Ya.l  i3.noii_<ieni4.ble_a3g  s 

I-  Iverify  3ign  hi3li  messige  lESSASEO  txmic  rxmic  ekey  dKEYO  dkey. 

(ixrnic  5  txmic)  tt) 

i^txmic  3  sign  Oia.3h  lESSAOEO)  dkey)  33> 

Cml  mi.  <hi3h  ml  s  hish  mi)  t  ml  t  ml)  53> 

<!ml  mi  dkeyi.  veiiiy  ml  <3igii  mi  dkeyl)  ekey 
s  <ml  3  mi)  n  (dkeyl  t  dJEYO))  3C) 

(<dkey  3  dEEYO)  l\  (messige  3  lESSABEO)  3 

i3.noii.denij.ble  veiiiy  <hj.3h  me33ige)  ixmic  ekey) 

*) 

VJ.1  is.non.deniJ-ble.msg  3  prove.thm  ("is.non.deniible.msg", 

! (veiiiy :3tring->3tiing->3tiing->bool) 

(3ign  :3tiing-)3tiing-)3tiing) 

(hi3h:  3tiing-> string) 

(mes3J.ge  sstring)  (*  pliintext,  retrieved  by  recipient  *) 
(msSACrEO:  string)  (>*  plaintext,  used  by  originator  *) 

(txmic  :  string) 

(rxmic  :  string) 

(ekey:  string)  (*  public  key  oi  clj-imed  oiiginj.toi  *) 

(dlEYO:  string)  (*  privvte  key  oi  cliimed  origlnj.toi  >*) 

(dkey:  string).  (*  private  key  oi  iei.1  oiiginttor  ») 

(rxmic  3  txmic)  33) 

(txmic  3  sign  (hj.sh  lESSAGEO)  dkey)  33) 

(!m)  ml.  (hj.sh  ml  3  hj.sh  ml)  3  ml  3  mi)  3t) 

Cml  ml  dkeyl.  veriiy  ml  (sign  ml  dkeyl)  ekey 
3  ((ml  3  ml)  /\  (dkeyl  3  dKEYO)))  30 
(((dkey  3  dKEYO)  /\  (mo3SJ.ge  3  HESSASEO))  3 
is.non.denij-ble  veriiy  (hj.sh  messj-ge)  rxmic  ekey)'--), 

REPEAT  OEH.TAC  THEH 

DISCH.THEI  (in  th  3)  REiiBnZ.TAC  [th,  is.non.denij.ble] )  THEF 
IISCH.TKEH  (in  tk  3)  REliRnE.TAC  CtM)  THEH 
DISCH.THEI  (in  th  3)  ASSUIE.TAC 

(SPECL  [--‘mess  J.ge:  string' -- ,  —  'lESSAGEOistiing'--]  th))  THEH 
DISCH.THEI  (in  th  3)  ASSDIE.TAC 

(SPECL  [--‘(hj.sh:string-)string)  (me3SJ.ge: string)'--, 

-- ‘  (hj.3h : string-) string)  (IESSA6E0 : string)  ‘ , 

-- ‘dkey: string' --]  th))  THEI 
ASI.REiiBnE.TAC  []  THEH 

ACCEPT.TAC  (SPECL  [-- ‘ (dkey: string)  3  (dKEYO:stiing)‘ -- , 

--' (mess J.ge:  string)  3  (IESSA6E0:3tring)‘--]  COHJ.SYE)); 


VJ.1  th  3  TAC.PRDDF  ( 

(□,  --‘!A  B.  ('A33)'B)  3  (  B3t)A)‘  — ), 

REPEAT  OEH.TAC  THEI  Eq.TAC  THEIL 
[DISCH.THEI  (in  th  3)  HP.TACdlP.ELH  th))  THEH 
SUBSTl.TAC  (SPECL  [--‘"A‘--,  --‘'B‘— D  DISJ.SYI)  THEI 
DISCH.THEI  (in  th  3)  IP.TAC  (DI5J.IIP  th))  THEH 
REiiRITE.TAC  [IDT. CLAUSES] , 

DISCH.THEI  (in  th  3)  HP.TACdIP.ELII  th))  THEI 
SUBSTl.TAC  (SPECL  [--‘"B'--,  --‘A:bool‘— ]  DISJ.SYI)  THEH 
DISCH.THEI  (in  th  3)  IP.TAC  (DISJ.HP  th))  THEI 
REiiRITE.TAC  [HDT.CLAUSES]]): 


(*  This  Sj.ys  thj.t  ii  I  send  you  j.  messj.ge  ind  the  IIC  is  somehos 
chinged  on  the  i!j.y,  then  you  cj.nnot  be  sure  oi  the  source  oi  the 


:>ic) 
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me93i.£e  »> 

<>*  Y>.1  not.Auth9Rtlc  : 

I-  JvsrUy  sign  hish  lESSAffEO  txmic  xxaic  okey  dlEYO. 

<txmlc  :  9l£n  <tii.9li  EESSASEO)  dlEYO) 

Cmi  m2.  Ysrlly  ml  m2  ekey  :  m2  :  9i£n  ml  dEEYO)  99> 

<!ml  m2  dkeyl  dkoy2. 

<9igii  ml  dksyl  s  9ijii  m2  dk9y2)  t9>  <ml  i  m2)  l\  (dk9yl  :  dk9y2))  S5> 
"(rumic  5  txmic)  t:) 

'i;i9.Auth9iitic2  Y9iiYy  hi9h  IESSA6E0  ixmic  9k9y)  :  thm 


Y«.l  Rot.Auth9ntic  t  ptoY9.thm  <"iiot.Auth9ntic", 

‘ !  <Y9riiy :  9ttlng-)  9tiiiig-  >9tiing-»bool) 

(9ign  :9tiing->9tring-)9tting) 

(ha.9h:  9tilng->9tting) 

(lESSASEO;  9tiing)  <*  pl9.1iit9Xt,  U99d  by  oiiginitoi  *) 
(txmic  :  9tiing) 

(ixmic  : 9tring) 

(9k9y;  9tiiiig)  (>*  public  key  ol  claimed  oiiginxtoi  ») 
(dlEYO;  9tiing).  (*  piiYxte  key  ol  claimed  oiiginaitoi  ») 
(txmic  9  9igii  (hj.9h  EESSASEO)  dEEYO)  st> 

(!ml  m2.  YeiUy  ml  m2  ekey  t  (m2  t  9ign  ml  dEEYO))  tt) 
(!ml  m2  dkeyl  dk9y2.  (9igR  ml  dkeyl  t  9ign  m2  dkey2) 

95)  (ml  5  m2)  t\  (dkeyl  5  dkey2))  59) 

'(ixmic  5  txmic)  tt) 

'(i9.1uthentic2  Yeiify  kith  EESSASEO  ixmic  ekey)'--), 
REPEAT  5EI.TAC  THEE 
REliRITE.TAC  [it.AuthenticS,  th3  THEI 
DISCK.TKEI  (In  th  9)  REimiTE.TAC  CtlO)  THEE 
mSCK.TKEE  (In  th  9)  REliRITE.TAC  CthJ)); 


(*5  9  9  5  9  5  5  9  9  9*) 

(*  Thit  9>.y9  thtt  il  I  tend  you  i.  me99tge  uid  the  IIC  i9  gomehox 
chinged  on  the  xiy,  then  you  cinnot  bo  9uib  oi  the  integiity  oi 
both  IIC  uid  me99i.ge,  9ince  eithei  one  could  hiYO  been  changed  *) 

(*  Yil  not. Intact  9 

I-  lYoiily  9lgn  hj.3h  EESSASEO  txmic  ixmic  ekey  dEEYO. 

(txmic  5  9ign  (hxth  EESSASEO)  dEEYO)  55) 

Cml  m2.  Yeiily  ml  ml  ekey  9  m2  5  sign  ml  dEEYO)  59) 

Cml  m2  dkeyl  dkeyl. 

(sign  ml  dkeyl  5  sign  ml  dkeyl)  55)  (ml  5  m2)  t\  (dkeyl  5  dkeyl))  55) 
'(ixmic  9  txmic)  99) 

'(is.Inta.ct  YOiily  ha.sh  EESSASEO  ixmic  ekey)  :  thm 

*) 

Ya.1  not. Intact  5  pioYo.thm  ("not. Intact", 

(--‘ !(YeiiIy:stiing-)3tTing-)stiing-)bool) 

(sign  :3tiing-)9tiing-)9tilng) 

(hash:  stiing-)9tiing) 

(EESSASEO:  stiing)  (*  plaintext,  used  by  oiiginatoi  *) 

(txmic  : stiing) 

(ixmic  : stiing) 

(ekey:  stiing)  (*  public  key  oi  claimed  oiiginatoi  *) 

(dEEYO:  stiing).  (*  piixate  key  ol  claimed  oiiginatoi  *) 

(txmic  9  sign  (hash  EESSASEO)  dEEYO)  59) 

Cml  ml.  Yeiily  ml  ml  ekey  5  (m2  9  sign  ml  dEEYO))  99) 

Cml  ml  dkeyl  dkeyl.  (sign  ml  dkeyl  9  sign  ml  dkeyl) 

55)  (ml  5  m2)  f\  (dkeyl  5  dkeyl))  ct) 

'(ixmic  5  txmic)  59) 

'(is. Intact  Yoiily  hash  EESSASEO  ixmic  ekey)'--), 

REPEAT  SEI.TAC  THEE 
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HZriHriE.TAC  [is.Intict,  tM  THEI 
mSCH.THEH  aiL  til  O  HEimriE.TAC  [tU)  THEI 
IISCH.THEH  th  s>  REHBnE.TAC 


<*  This  siys  thit  ii  I  send  you  >.  messige  And  the  IIC  is  sonehot 
chinged  on  the  my,  then  I  cm  deny  hiving  sent  the  messige.  *> 

<*  The  xeison  xe  issume  the  received  messige  is  correct  md  the 

cliimed  identity  o±  originitor  is  reil,  is,  otherxise,  one  c^ot 
Sly  thit  someone  didn’t  send  the  miil,  insteid  ol  this  one  didn’t 
send  this  miil  messige  *) 

<*  vil  is.deniihle  s 

I-  : verify  sign  hish  lESSAUEO  txmic  rxmic  ekey  dSETO. 

(txmic  s  sign  <hish  lESSAGEO)  dlETO)  ts> 

<!ml  m2,  verify  ml  m2  ekey  s  m2  s  sign  ml  dEEYO)  ss> 

<!ml  m2  dkeyl  dkey2. 

(sign  ml  dkeyl  s  sign  m2  dkey2)  ts>  <ml  t  m2)  l\  (dkeyl  t  dkey2))  ss* 
'(rxmic  t  txmic)  ss) 

'(is.non.deniible  verify  (hish  lESSAGEO)  rxmic  ekoy)  :  thm 

*) 

vil  is.deniible  s  prove.thm  C'is.doniiblo", 

(.. I i (verify : string- ) string- »stting->bool) 

(sign  :string->string->string) 

(hish:  string-)3tring) 

(HESSAGEO:  string)  (>«  pliintext,  used  by  originitor  >*) 

(txmic  :  string) 

(rxmic  : string) 

(ekey:  string)  (*  public  key  of  cliimed  originitor  *) 

(dlETO:  string).  (*  privite  key  of  cliimed  originitor  >♦) 

(txmic  t  sign  (hish  HESSAGEO)  dlETO)  5t» 

(!ml  m2,  verify  ml  m2  ekey  ‘  (m2  s  sign  ml  dlEYO)) 

(!ml  m2  dkeyl  dkey2.  (sign  ml  dkeyl  ;  sign  m2  dkey2) 
t:)  (ml  5  m2)  l\  (dkeyl  s  dkey2))  ss» 

'(rxmic  s  txmic) 

'(is.non.deniible  verify  (hish  lESSAGEO)  rxmic  ekey)’--), 

REPEAT  6EH.TAC  THEI 

REHRITE.TAC  [is.non.deniible,  th]  THEI 
DISCH.TKEF  (fn  th  ;>  REliRITE.TAC  [th])  THE! 

DISCK.THEI  (fn  th  :»  REliRITE.TAC  [th])); 


vil  thl  s  SPEC!  [--‘xidekinfo’--] 

(CDIiniCTl  dekinfo.ISD.IEF); 

vil  th2  S  REliRITE.RUIi  [thl]  (SPEC!  [-‘REP.dekinfo  (xidekinfo)’-] 
(CDIjniCT2  dekinfo.ISD.IEF)); 
vil  thS  5  REiiRITE.RIlE  [is.dekinfo]  thl; 

(>«vil  get.IEE.ilgid.CASES  5  I-  !x.  get.IEJ.ilgid  x  :  lES.CBC  *) 

vil  get.DEH.ilgid.CASES  -  prove.thm  C'get.IEI.ilgid.CASES", 

--‘!x.  (get.IEE.ilgid  x  t  DES.CBC)’--, 

GEI.TAC  THEI 

REliRnE.TAC  [get.DEH.ilgid,  thS]); 


(,#s  s  ;  s  -’*’) 

vil  thl  :  SPECL  [-‘xrllC.info’--] 

(CDIJUICTl  IIC.info.ISn.BEF): 
vil  thl  t  SPECL  [--‘REP.IIC.info  (xrllC.info)’--] 
(CDIJUICTl  HIC.info.ISD.IEF); 
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vil  tli3  :  KEliHlTE.RnLE  [thl]  th2; 

Yil  th4  :  HEiiEITE.ERLE  [is.IIC.inio]  tM; 

Yi.1  th5  s  COUmrCTl  th4: 

Yil  the  :  CDSJniCT2  th4; 

gat. IlC.hishid. CASES: 

I-  !x.  (get.lIC.ilgid  x  s  RSA.IIi)  M  (get.IlC.Algid  x  t  RSA.UE) 
*) 

Yil  get.HIC.hi.3hid. CASES  :  pxoYa.tha  C'get.lIC.hishid.CASES", 
"‘!x.  <gat.IIC.i.lgid  x  t  RSA.IDJ  )  \/ 

(get.IIC.ilgid  X  t  RSA.HDS)*--, 

SEI.TAC  THE! 

REiiHlTE.TAC  Cget.IIC.ilgid,  thS]); 


i:*get.HIC.3igiiid.CASES : 

I-  !x. 

(get.HIC.sigilgid  x  s  DES.ERE)  \t 
Cgat.HIC.sigilgid  x  t  DES.ECB)  \f 
(get.IIC.sigvlgid  x  t  RSA)  :  tlui 

*) 

Yi.1  get.IIC.signid. CASES  t  proYe.thm  ("get.IIC.signid.CASES”, 
"‘!x.  (get.IIC.slgilgid  x  c  BES.EBE)  M 
(get.IIC.sigilgid  x  t  DES.ECB)  W 
(get.IIC.sigilgid  x  s  RSA)‘--, 

OEI.TAC  THEH 

REiiRITE.TAC  [get.IIC.sigilgid,  the]); 


<*: 

Yil  thl 

Yil  th2 

Yil  thS 


s  SPECL  C--‘x:X9y.iiiAo‘"] 

CCDEJTOCTl  Key.info.ISD.DEF); 

t  REIIRITE.RDLE  [thl]  <SPECL  [--‘REP.Eey.info  (xiEay.info) ‘ --] 
(CDHJDICT2  Eay.inio.ISD.DEF)); 

3  REiiRITE.RDLE  [is.Key.inf o]  th2: 


<*Yil  get.Eey.ilgid.CASES  3  I-  ix.  get.KEY.ilgid  x  3  RSA  *) 

Yil  get.Eey.ilgid. CASES  s  proYe.thm  O'get.Eey.ilgid.CASES", 

--‘:x.  Cget.KEY.ilgid  x  3  RSA)'--, 

6EI.TAC  THEI 

REiiRITE.TAC  [get.IEY.ilgid,  th3]); 


export. thooryO ; 
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PEM_CLEAR 


D.l  pem_clear. theory 

Theory:  pen.cleiT 

Pixeats : 

pem.def  initions 

Type  constinrs: 


Term  constuits: 

IIC.CLm.exuiple  (Prelix) 

istring  -)  string  -)  string  -)  string  -> 

preeb  #  proctype  •  contentdomtin  •  id.».symaetric  •  tertilinite  list  • 
IlC.inio  t  string  t  posteb 
get  .lie. CLEAR. lie. InTo  (Prefix) 

:preob  t  pxootype  t  content domxin  i  id.isymmetric  #  certilicite  list  t 
lie. info  t  string  *  posteb  -»  IlC.info 
get. DriginitorAsymU. info  (Prefix) 

:preeb  t  proctype  t  contentdomiin  t  id. isymmetric  t  certificate  list  t 
lie. info  •  string  f  posteb  -)  id.isymmetric 
get.IIC.CLEAR.Proc.Type  (Prefix) 

ipreeb  t  proctype  t  contentdomiin  #  id.j.symmotric  •  certificite  list  • 
lie. info  t  string  t  posteb  -P  proctype 
get.IIC. CLEAR. text  (Prefix) 

:preeb  #  proctype  •  contentdomiin  •  id.isymmetric  #  certificite  list  t 
EIC.info  t  string  t  posteb  ->  string 
get.msg.HishID  (Prefix) 

:preeb  t  proctype  *  contentdomiin  t  id.isymmetric  t  certificite  list  t 
EIC.info  t  string  t  posteb  -)  ilgid 
get.msg.SignU  (Prefix) 

:preeb  •  proctype  t  contentdomiin  #  id.isymmetric  #  certificite  list  t 
EIC.info  *  string  #  posteb  ->  ilgid 
get.msg.EIC  (Prefix) 

:preeb  t  proctype  •  contentdomiin  t  id.isymmetric  t  certificite  list  t 
EIC.info  t  string  t  posteb  -I  string 
EIC. CLEAR. is. Intict  (Prefix) 

:preeb  t  proctype  t  contentdomiin  f  id.isymmetric  i  certificite  list  t 
EIC.info  t  string  •  posteb  -»  bool 

Axioms : 


I  ef  initions: 

EIC  .  CLEAR  .  eximple 
I-  Isl  s2  s3  si. 

EIC. CLEAR. eximple  si  s2  s3  sd-  t 
(BEfflE  'TEIVACY.EIHAICEB  EAIL”, 
Proc.Type  (4, EIC. CLEAR), 
Content. Bomiin  RFC822, 
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Hl.Asyimatiic  si, 

[Certificite  sS], 

IlC.Ilrfo  <RSA.II15,RSA,53), 

3+, 

EH  'TEIYACY.EIHAICEJ  lAIL") 
gsr.IIC.CLEAR.IIC.Inio 

I-  !x.  get.HIC.CLZAB.HIC.Inio  x  s  FST  <Sm)  <SHD  <Sm)  (SHI  (SHI  x))))) 
gat .  DiiginitoiAsymH  .  ini  o 

I-  :x.  gat. QriginitorAsymlD. info  x  t  FST  (SHI  (SHI  (SHI  x») 
gat.IIC.CLEAB.Proc.Typa  I-  !x.  gat.IIC.CLEAE.Pioc.Type  x  :  FST  (SHI  x) 
gat .HIC . CLEAR. t  axt 

I-  :x.  gat.IIC.CLEAR.taxt  x  t  FST  (SHI  (SHI  (SHI  (SHI  (SHI  (SHI  x))))» 
gat.n3g.K1.shII 

I-  !x.  gat.msg.HishU  x  t  get.IIC.ilgid  (gat.HIC. CLEAR. HIC. Info  x) 
gat.msg.SignU 

I-  !x.  gat.msg.SignU  x  s  gat.HIC.sigilgid  (gat.HIC. CLEAR.IIC. Info  x) 
gat.msg.HIC  I-  !x.  gat.msg.HIC  x  t  gat.IIC.mic  (gat.HIC. CLEAR.IIC. Inf o  x> 
lie. CLEAR. is. Intict 
I-  !nic.clai.z.nsg. 

lie. CLEAR. is. intvet  mic.clau.nsg  t 
(let  nicinfo  s  get  .HIC.  CLEAR.IIC.  Info  aic.cleu.nsg 
in 

let  ehey  s  get.Iey.fion.II  (get. OiiginitoiAsymll. info  mic.clBU.msg> 
in 

is.Inttct  (HIC. sign. select  nicinfo)  (IlC.hish.select  nicinfo) 
(gat.IIC.CLEAR.taxt  mic.clau.nsg) 

(gat.IIC.mic  nicinfo) 
ahay) 


Theoxems : 

integrity,  lemni.1 

I-  ivexify  sign  htsh  txmasstga  xxmesstge  dkey  ehey. 

(!nl  ml.  (hish  ml  :  htsh  ml)  (ml  :  ml))  tt> 

Cml  ml.  verify  ml  (sign  ml  dhey)  efcey  t  ml  s  ml)  tt> 
is.Intict  verify  hish  rrmessige  (sign  (hish  tmassige)  dXey)  ehey  t5> 
(txnessige  s  rrmesstge) 
int  egrity .  lemni.1 

I-  iverify  sign  htsh  tmessige  nxmasstge  dkey  ekey. 

(!ml  ml.  (hish  ml  :  hish  ml)  (ml  :  ml))  ::> 

Cml  ml.  verify  ml  (sign  ml  dkey)  ekey  s  ml  t  ml)  t;> 

(txmessige  t  rxmessige)  st» 

is.Intict  verify  hish  rxmessige  (sign  (hish  txmessige)  dkey)  ekey 
int  egrity . lemmiS 

I-  [verify  sign  hish  txmessige  rxmessige  dkey  ekey. 

(!ml  ml.  (hish  ml  :  hish  ml)  s;>  (ml  :  ml)) 

Cml  ml.  verify  ml  (sign  ml  dkey)  ekey  t  ml  t  ml) 

((txmessige  :  rxmessige)  : 

is.Intict  verify  hish  rxmessige  (sign  (hish  txmessige)  dkey)  ekey) 

Int let 

I-  [verify  sign  hish  txmessige  rxmessige  dkey  ekey  snd. 

(smd  s  sign  (hish  txmessige)  dkey) 

([ml  ml.  (hish  ml  :  hish  ml)  ss>  (nl  :  ml))  tt> 

([ml  ml.  verify  ml  (sign  ml  dkey)  ekey  t  ml  t  ml) 

((txmessige  c  rxmessige)  t  is.Intict  verify  hish  rxmessige  smd  ekey) 
lie. CLEAR. is. Int let. Correct 
I-  [mic.cleu.nsg  sign  txmessige  dkey. 

let  micinfo  s  get. IIC. CLEAR.IIC. Info  mic.cleir.msg 
in 

let  ekey  :  get.Hey.from.m  (get. OriginitorAsymll. info  mic.cleu.nsg) 
in 

let  hish  s  IlC.hish. select  nicinfo 
ind 

verify  s  IlC.sign.select  micinfo 
ind 


94 


D.2.  PEM.CLEAR.SML 


rxmessiSQ  s  get.IIC.CLEAK.text  aic.cleii.nsg 
in 

<gst.IIC.nic  mlclnfo  -  sign  (hisli  txaBssige)  dkey)  ssl 
<!ml  mi.  <hi3h  ml  :  hish  mi)  sti  <nl  s  mJ))  ssl 
(!ml  m2,  vaiiiy  ml  (sign  m2  dkey)  dkay  t  ml  t  m2>  ss> 
((txmassLge  s  rxmdssa.go)  s  EIC.CLEAK_is_Ints.ct  mic. clast. msg) 


D.2  pem_clear.sml 


<*  File: 

pGm.clGir.sml 

:i») 

») 

<>tc  Ddscxlptlon: 

SGlGctor  ixid  sGcurity  function  lor 

*) 

<* 

lie -CLEAR  messsge 

*) 

<>K  Bite: 

Aug.  20,  1996 

*) 

<>♦!  Author: 

Shiu-Esi  Chin,  xith  some  modiiicstion 

>*) 

<* 

by  Bin  Zhou 

<*  sign:  us  a  privste  kay,  "dkey" 

<»  varliy:  use  public  key,  "ekey" 

net.theoiy  'pem.clesi"; 

losd.librsiyilib  s  hol88.1ib,  theory  $ 
open  Psyntsx  Compst; 

nea.psrent  'pem.syntsx"; 
nea.psrent  'pem.delinition3"j 

sdd.theory.to.sml  'pem.syntsx"; 
sdd.theory.to.sml  'pem.definitions"; 

<*:  s  s  5  c  s  5  s  5*) 

<*  this  section  is  Jthst  naeded  to  be  redone  for  s  dilierent  *> 
<>«  messsge  structure  ol  IIC.CLEAK  *> 

Ysl  micclesrmsg  s  ty.sntii 

(::‘:(preeb  #  proctype  t  contentdomsin  #  id.ssymmetric  # 
(certilicste  list)  •  HIC.inlo  t  string  t  postebl'st); 

vsl  IIC.CLEAB.eismple  s  neir.dei init ion 

("lIC.CLEAB.exsmple",  --‘IIC. CLEAR. exsmple  si  s2  53  si  s 
(BESII  'TBIYACY.EHHAHCED  lAIL", 

Proc.Type  <4,IIC.CLEAB), 

Content .Bomsin  BFC822, 

IB.Asymmetric  (slistring), 

[Certilicste  <32 : string)] , 

HIC.Inio  <BSA.IB5,BSA,<s3:  string)), 

<*  ssymsignmic  *) 

<s4:  string), 

<*  pent ext  *) 

ESI  'TBIVACY.EHHAHCEB  IAIL'’)‘— ): 

YSI  get.IIC.CLEAB.IIC.Inio  t  nex.deiinition 
<■  'get  .lie  .  CLEAK.HIC  .Ini  o' ', 

<--‘get.IIC.CLEAE.IIC.Inio  <x:  "micclesrmsg)  t 
FST<SIB<SBB<Sin)<SEB<SIB  x)))))‘  — )); 

<*  sender  IB,  this  iield  esn  replsce  the  sender’s  certilicste  *) 
Ysl  get.OriginstorAsymlB.inio  s  ner.deiinition 
<'  'get .  DriginstorAsymIB.  inio' ' , 


») 

») 
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- - *g0T . OriginitorAflymlD .info  (x: ^miccleiimg r) 
:  rST<Sin)<sn<SHII  x)))‘-); 


Yxl  get.IIC.CLEAR.Pxoc.TypQ  i  nex.defiitition 
C'get.lIC.CLEAR.Proc.Type", 

<--‘g8t.IIC.CLEAIl.P10c.Typ9  <x:  "micclsiimsg)  s  FSTCSSII  x)‘--)> 

Yil  gat .HIC. CLEAR. text  c  nex.def inition 
<"g0t.IIC.CLEAR.t9xt", 

<--*g9t. lie. CLEAR. text  <x:  -miccleximsg)  t 
FST<3m<SHD<Sin)<Sin)<Sin)<SFD  x))))))‘--)); 


<*t  t  :  ;  ;  ;  .  , 

<*  retrieYe  eich  sub-lield  Ixom  xix  message  Aield 
<*  these  ixe  not  used  in  the  folloxing  pxool,  othei  functions 
<*  iXB  used  insteid 

<*  Hish  Algoxithm 

Yil  got.Bsg.Hishni  s  nex.definition 
<"gat.msg.Hishn)", 

<--‘get.msg.HAShID  <x: “miccleiimsg)  5 
get.IIC. Algid  <get.IIC.CUAR.IIC.Info  x)‘-»i 

<*  Sign  Algoxithn  fox  messAge  digest  ») 

YAl  get .msg. S ignU  s  neY.def inition  <"get.m3g.SignrD", 
--‘get.msg.SignlB  <x:"miccl9AXBSg) 

t  get.IIC.sigAlgid  <g6t.IIC.CLEAE.IIC. Info  x>‘-)i 

<*  Enexypted  IIC 

YAl  get. msg. HIC  s  nex.def inition 
<"get.msg.IIC", 

--‘get.msg.IIC  <x:-miccleAxmsg) 
t  get.IIC.mic  <g9t.IIC.CLEAR.IIC. Info  x)‘  — ); 


YAl  HIC. CLEAR. is. Int Act  c  nex. definition 
<"HIC.CLEAR. is.Int Act", 

<-- ‘HIC .CLEAR. is. Int Act  <mic.cl9AX_msg: "miccleAxmsg)  s 
<let  micinfo  s  <g0t. HIC. CLEAR.HIC. Info  mic.cleAi.msgl  in 
<let  ekey  s  get.Key.f xom.II 

<get.DxiginAtoxAsymIII.info  mic.cleAi.msg)  in 
<is.Int Act 

<HIC. sign. select  micinfo) 

<HIC.hAsh. select  micinfo) 

<g0t. HIC. CLEAR. text  mic.cleAX.msg) 

<get.HIC.mic  micinfo)  e)cey)))‘--)); 

close. theoxyO ; 
expoxt.theoxyO; 

HIC.  CLEAR.  exAmple; 

YAl  integiity.lemmAl  s  pxoYe.thm 
<'  'integxity.lemmAl' ', 

<--‘!<Yexify:  stxing  -»  stxing  -»  stxing  ->  bool) 

<sign:  stxing  -)  stxing  -»  stxing) 

<hAsh:  stxing  ->  stxing) 

<txmessAge:  stxing)  CixmessAge:  stxing) 

<dkey:  stxing)  <ekey:  stxing). 

<!ml  m2.<hAsh  ml  :  hAsh  m2)  sO  (ml  ;  m2))  tt) 

<!ml  m2.  Yexify  ml  (sign  m2  dkey)  ekey  t  (ml  ;  m2))  ts> 
(is.Int Act  Yexify  hASh  xxmessAge 
(sign  (hAsh  txmessAge)  dkey)  ekey) 
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s:>  (txmassiga  s  rxiiessige)*--), 

KEPEAT  BES.TAC  THEE 
REiiHITE.TAC  [i3.Inta.ct]  THEE 
DISCH.THEE  <fn  th  t)  ASSTTIE.TAC  (SPECL 

[<--‘Txma33a.ga:3tring‘--),  <--‘txme3sa.g9:stTing‘--)]  tW>  THEE 
BISCH.THEE  <in  tH  :)  REiiRnE.TAC  [SPECL 

[( -  -  ‘  (hash :  3tring->  string)  <rxm933a.g8:  string)  ‘  --) , 
<--‘(ha.3li:3tring->3tring)  (txma33a.ge:string)‘--)]  th])  THEE 
BISCH.THEE  CAn  th  s)  ASSEEE.TAC  th  THEE  RES.TAC  THEE 
ASI.REHRITE.TAC  □)); 

Ya.1  intagrity.leiiima.2  s  prova.thm 
('  'intagrity.laBma.2", 

iCvariiy:  string  -)  string  ->  string  ->  bool) 

(sign:  string  ->  string  -I  string) 

<ha.3h:  string  -I  string) 

(txmassa-ga:  string)  <:rxma3sa.ga:  string) 

<dkey:  string)  <alcey:  string). 

<!ml  in2.<ha.3h  ml  s  ha.sh  m2)  5S>  (ml  t  m2))  tt) 

(!ml  m2,  veriiy  ml  (sign  m2  dHoy)  eHay  s  (ml  s  m2))  ts> 
((txme33a,ge  s  rxmessAge)  ts> 

(is.Inta.tt  veriiy  hish  rxmassiga 

(sign  (hish  txm8ssa.ge)  dH8y)  e!c8y))‘"), 

REPEAT  BEE.TAC 

THEE  REHRITE.TAC  [is.Inta.ct] 

THEE  DISCH.THEE  (in  thl  O 

(BISCH.THEE  (in  th2  :)  REiiRnE.TAC 

[thl, (SPEC  (--‘(ha.3h; string  -»  string)  txm9S5a.g8‘")th2)]))) 
THEE  DISCH.THEE  (in  th  s>  REiiRITE.TAC  [th])); 

Ya.1  int8grity.leiiima.3  s  proY8.thm 
('  'int8grity.  leiiima.3", 

(-- * !(Y8riiy:  string  -I  string  ->  string  ->  bool) 

(sign:  string  -»  string  ->  string) 

(ha.sh:  string  -»  string) 

(txmassige:  string)  (rxm833a.g8:  string) 

(dH8y:  string)  (afcny:  string). 

(!ml  m2.(ha.sh  ml  t  ha.sh  m2)  t5>  (ml  s  ii2)) 

Cml  m2.  Yariiy  ml  (sign  m2  dicey)  ekey  t  (ml  t  m2))  s;> 
((txm933a.ge  s  rxmassige)  s 

(is.Inta.ct  Yeriiy  ha.sh  rxm8S3a.g8 

(sign  (ha.sh  txm8ssa.g8)  dkey)  8]cey))‘--), 

REPEAT  SEE.TAC 

THEE  DISCH.THEE  (in  thl  5»  (DISCH.THEE  (in  th2  t)  Eq.TAC 
THEE  IP.TAC  th2  THEE  IP.TAC  thl))) 

THEE  REiiRITE.TAC  [integrity. l8mma.l , int8grity.l8iiima.2] ) ; 

export .theory  (); 


Ya.1  Inta.ct  :  proYe.thm  ("Inta.ct", 

(--‘•(Yeriiy:  string  -)  string  ->  string  ->  bool) 

(sign:  string  ->  string  -)  string) 

(ha.3h:  string  ->  string) 

(txmessa.ge:  string)  (xxmes3a.g9:  string) 

(dkey:  string)  (ekey:  string) 

(smd: string) . 

(smd  s  (sign  (ha.sh  txmessa.ge)  dkey))  tt» 

(■ml  m2.(ha.sh  ml  s  ha.sh  m2)  tt>  (ml  s  m2))  tsl 
(!ml  m2.  (Yeriiy  ml  (sign  m2  dkey)  ekey)  t  (ml  s  m2))  t5> 
((txmessa.ge  t  rxmessa.ge)  t 

(is.Inta.ct  Yeriiy  hish  nxmassige  smd  ekay))'--), 
REPEAT  SEE.TAC 
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THM  BISCH.TKEH  <fn  th  t>  REliaiTE.TAC  [th]) 

THEBf  RZirRITE.TAC  Cint0grity.lennj.3D); 

fun  let.ELU.CQIV  t  : 

■nif.CDIY  (lot.CQHY  THEIC  lot.ELU.CDSY)  t; 

YI.1  thl  t  l0t.ELlI.CDEY 

(--‘let  micinfo  :  get. IIC.CLEAR.IIC. Info  nic.clej.i.m3g  in 
(let  elcey  :  get .Eey. Iron. ID  (get.Driginj.torAsynlD.inf o 
nic.clejr.msg)  in 

(let  hjsh  5  lie. hish. select  niclnfo  ind 
verify  t  HIC. sign. select  niclnfo  jnd 
rxnes3J.ge  t  get. HIC. CLEAR. text  nic.clejr.nsg  in 
((g8t.lIC.nic  niclnfo  t  sign  (lij.3h  txne3sj.ge)  dkey)  tti 
(!nl  n2.(lj.3h  nl  t  hj.3li  nJ)  :t»  (nl  s  ml))  t5> 

(!nl  nl. verify  nl 

((sign:3tring-)3tTing-)3tring)  nl  <Ucey)ekey  t  (nl  t  nl))  :s> 
((txnes3J.ge  :  rxnessjge)  s 
lie. CLEAR. is. IntJ.ct  nic.clej.r.nsg))))‘--); 

vil  thl  5  let.ELU.CDEY 

("‘let  niclnfo  *  get .lIC.CLEAR.lIC. Info  nlc.clei.r.nsg 
in 

let  ekey  s  get.Key.fron.D  (get. DriginitorAsynlD. info  nic.clejr.nsg) 
in 

is.intjct  (lie. sign. select  niclnfo)  (IlC.hJsh.select  niclnfo) 

(get. lie. CLEAR. text  nic.clejr.nsg) 

(get.lIC.nic  niclnfo) 
ekey‘--); 

vjl  lie. CLEAR. is. Intjct. Correct  s  prove. thn 
("lie. CLEAR. is. Intjct. Correct", 

(--‘(!(nic.clejr.nsg:  "nicclejrnsg) 

(sign:  string  -i  string-)  string) 

(txnessjge:  string) 

(dkey:  string) . 

(let  niclnfo  s  get.HIC.CLEAR.HIC.Info  nic.clejr.nsg  in 
(let  ekey  ;  get.ley.fron.ID  (get.DriginjtorAsynID.inf o 
nic.clejr.nsg)  in 

(let  hjsh  s  lie .hjsh. select  niclnfo  jnd 
verify  s  lIC.sign.select  niclnfo  jnd 
rxnessjge  s  get. HIC. CLEAR. text  nic.clejr.nsg  in 
((get.lIC.nic  niclnfo  ;  sign  (hjsh  txnessjge)  dkey)  ss) 

(!nl  nl.(hjsh  nl  :  hJsh  nl)  tt>  (nl  s  nl))  t;) 

(!nl  nl. verify  nl  (sign  nl  dkey)  ekey  s  (nl  s  nl))  tt> 

((txnessjge  s  rxnessjge)  s 

lie. CLEAR. is.intjct  nic.clejr.nsg))))))* — ), 

REPEAT  6EI.TAC 

THEE  REiTlITE.TAC  CthlD 

THEE  REiiRITE.TAC  [IIC. CLEAR. is.intjct, thl] 

THEE  REiiRITE.TAC  [Intjct]); 

export. theoryO : 
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Appendix  E 

PEM_ENCRYPTED 


E.l  pem_encrypted.theory 

7h  ©oxy :  p  ©n.  ©n  cxyp"® 

Pdjgnts: 

p©m.d©flziitlon8 

Typ©  const  j,nts: 


Term  const5.nts: 

EHCRYPTED.ox^pl©  (Prefix) 

:stiing  -)  string  ->  string  -)  string  ->  string  ->  string  -) 
preot)  #  proctypn  #  contentdomiin  •  deJcinlo  #  id.^-syaiaetric  • 
certiiicitB  list  •  IlC.iiufo  t  (id.j.syiuii9tric  •  SBy.inio)  list  •  string  # 
postBb 

gBtEH.BM.inio  (PrBTiic) 

•  piBBb  t  proctypB  •  contBntdoma.in  •  dskinlo  t  id_4.syiiiii9trit  # 

CBrtiricitB  list  t  IlC.inlo  •  (id.^sysimBtric  #  SBy.inlo)  list  t  string  t 
postBb  -)  dBkinTo 

gBtEI.DriginitorAsymlD.inlo  (PrBlix) 

:prBBb  #  proctypB  •  contBntdomiin  •  dBlcinfo  t  id.isyioiBtric  t 
cBrtiricitB  list  t  IlC.inio  #  (id-isymnBtric  t  Ksy.inio)  list  t  string  t 
posteb  ->  id.^8yiim©tric 
getEH-IssuerCert.info  (Prefix) 

rpreeb  #  proctype  t  contentdomiin  t  d^info  #  id.».syinn©txic  t 
cBrtilicitB  list  t  IlC.inlo  #  (id.tsyjmBtric  t  iBy.inlo)  list  •  string  t 
postBb  ->  CBXtilicitB  list 
g9tEH.IIC.inlo  (Prolix) 

:proob  t  proctypo  t  contontdoniin  t  dokinlo  #  id.isymmotric  # 
cortilicito  list  •  IlC.inlo  t  (id.isymmotric  t  Eoy.inlo)  list  •  string  t 
postBb  -I  IlC.inlo 
gotEI.EEH.inlo  (Prolix) 

:proob  t  proctypo  t  contontdomiin  •  dokinlo  #  id.isymmotric  t 
cortilicito  list  •  IlC.inlo  #  (id.isymmotric  t  Eoy.inlo)  list  t  string  t 
post Ob  ->  Eoy.inlo 
gotEI.Iossigo.inlo  (Prolix) 

iproob  t  proctypo  #  contontdomiin  •  dokinlo  #  id.isymmotric  t 
cortilicito  list  t  IlC.inlo  t  (id.isymmotric  #  Eoy.inlo)  list  t  string  # 
postBb  ->  string 
gotEH.msg.IsgEncryptlD  (Prolix) 

iproeb  •  proctypo  #  contontdomiin  t  dokinlo  #  id.isymmotric  t 
cortilicito  list  t  IlC.inlo  #  (id.isymmotric  t  Eoy.inlo)  list  •  string  t 
postob  ->  ilgid 

gotEI.msg.IsgEncryptlY  (Prolix) 

:proBb  t  proctypo  •  contontdomiin  t  dokinlo  •  id.isymmotric  t 
cortilicito  list  t  IlC.inlo  •  (id.isymmotric  #  Eoy.inlo)  list  t  string  # 
posteb  ->  IV 

gotEI.msg.HishID  (Prolix) 

rproob  t  proctype  •  contontdomiin  #  dokinlo  t  id.isymmotric  t 


99 


PEM.ENCRYPTED 


cextificite  list  i  IlC.inio  t  (id.j.3y]imetiic  t  Xey.info)  list  t  stiinr  f 
posteb  -)  ilgid  ° 

getEH.msg.Signn  <Prefix) 

:pr9eb  t  pioctype  4  conteiitdoiiia.iii  4  dekinio  4  id.^symmetiic  4 
CBTtificita  list  4  HlC.inio  4  (id.isyumatiic  4  Eay.inlo)  list  4  string  4 
posteb  -»  Ilgid  ° 

gatEH.msg.EncryptadllC  (Pralix) 

:praab  4  proctypa  4  contentdomiin  4  dakinlo  4  id.jLsytimetric  4 
cartiiicita  list  4  HlC.inlo  4  <id.isyiimatric  4  Pay. info)  list  4  string  4 
postab  -t  string  ° 

gatES.msg.EayEncryptll  (Prafix) 

ipraab  4  proctypa  4  contantdomiin  4  dakinfo  4  id.isynmetric  4 
cartificita  list  4  IlC.inio  4  (id.isynmatric  4  Kay. info)  list  4  string  4 
postab  ->  Ilgid  ° 

gatEI.msg.EncryptadKay  (Prafix) 

:praab  4  proctypa  4  contantdonxin  4  dakinfo  4  id.xsyiunatric  4 
cartificita  list  4  IlC.info  4  (id.isynaatric  4  Kay. info)  list  4  string  4 
postab  ->  string  ° 

gatEI.msg.IEK  <Prafix) 

:praab  4  proctypa  4  contantdomiin  4  dakinfo  4  id.isynmetric  4 
cartificita  list  4  IlC.info  4  (id.isymmatxic  4  Kay.info)  list  4  string  4 
postab  ->  string 
gatEI.msg.massiga  (Prafix) 

:praab  4  proctypa  4  contentdomiin  4  dakinfo  4  id.isynmetric  4 
cartificita  list  4  IlC.info  4  (id.isynmetric  4  Kay.info)  list  4  string  4 
posteb  -)  string  ° 

getEH.msg.IIC  (Prefix) 

:praab  4  proctypa  4  contentdomiin  4  dakinfo  4  id.isynmetric  4 
cartificita  list  4  IlC.info  4  (id.isynmatric  4  Kay.info)  list  4  string  4 
posteb  -»  string 
EICRfPTED.is.PriviteP  (Prefix) 

ipraab  4  proctypa  4  contentdomiin  4  dakinfo  4  id.isynmetric  4 
cartificita  list  4  IlC.info  4  (id.isynmetric  4  Kay.info)  list  4  string  4 
posteb  -»  string  -»  bool 
EICRyPTED.is.PriYiteS  (Prafix) 

ipraab  4  proctypa  4  contentdomiin  4  dakinfo  4  id.isynmetric  4 
cartificita  list  4  IlC.info  4  (id.isynmetric  4  Kay.info)  list  4  string  4 
posteb  -)  string  ->  bool 
EICRYPTED.is.AutRanticl  (Prefix) 

ipraab  4  proctypa  4  contentdomiin  4  dakinfo  4  id.isynmetric  4 
cartificita  list  4  IlC.info  4  (id.isynmetric  4  Key. info)  list  4  string  4 
posteb  -)  bool 
EICRYPTED.is.Intict  (Prafix) 

ipraab  4  proctypa  4  contentdomiin  4  dakinfo  4  id.isynmetric  4 
cartificita  list  4  IlC.info  4  (id.isynmetric  4  Key. info)  list  4  string  4 
posteb  -)  bool 

EICRYPTED.is.non.deniible  (Prefix) 

ipreeb  4  proctypa  4  contantdomiin  4  dakinfo  4  id.isynmetric  4 
cartificita  list  4  IlC.info  4  (id.isynmetric  4  Kay.info)  list  4  string  4 
postab  -)  bool  ° 

Axioms  I 


Definitions  i 

EICRfPTED . aximple 
I-  !sl  s2  S3  si  s5  s6. 

EICRyPTED.exinple  si  s2  s3  s4  sC  s6  t 
(BECU  'TRIVACY.EIHAICED  lAIL", 
Proc.Type  (4-,EICRyPTED), 

Content. Domiin  EFC822, 

BEK. Info  (DES.CBC.IV), 

IB .Asymmetric  si, 

[Cartificita  s2]. 
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lie. Info  <R3A.III5,RSA,33), 

[ID.AsymmQtiic  s4, Key. Info  <RSA,35)D, 

36 , 

Eli  '  TRIYACY.EBHAHCED  lAIL") 

getEE.DEE.info  I-  !x.  getEI.IEK.info  x  :  FST  (SII  <SIID  <SHD  x))) 
getEII.IIiiginitorA3ymID .  inf  o 

|-  !x.  getEir.Driginj.toxA3ymID.info  X  3  FST  (SHI  (SHI  (SHI  (SHI  x)))) 
getEH.l3SuerC  eit . info 

I-  !x.  getEH.l33ii0xCert.inf o  x  t  FST  (SID  (SHI  (SHI  (SHI  (SHI  x)>))) 
get EI.HIC. info 

I-  !x.  getEH.IIC.info  x  t  FST  (SHI  (SII  (SHI  (SII  (SHI  (SHI  x>))))) 

getEH.KET.info 

I-  !x. 

getEI. KEY. info  x  : 

SHI  (HD  (FST  (SHI  (SHI  (SID  (SHI  (SHI  (SID  (SHI  x»>))>)>) 
getEH.Hes  3  J.ge.  info 

I-  !x. 

getEH. 103 3i.ge. info  x  t 

FST  (SHI  (SHI  (SII  (SHI  (SHI  (SID  (SHI  (SII  x)))))))) 
g0tEH.m3g.IsgEnciyptID 

I-  !x.  g0tEH.m3g.l3gEntxyptID  x  t  get.DEK. Algid  (getEI.DEK.info  x) 
get EI.m3g.S3gEn crypt  IV 

I-  !x.  getEH.m3g.l3gEncryptIY  x  t  get.IEK.IV  (getEI.DEK.info  x> 
getEH.m3g.HA3tiII 

I-  !x.  getEH.msg.Hiehll  x  s  get. IIC. Algid  (getEH.IIC.info  x> 
getEH.msg.Signll 

I-  !x.  getEH.msg.Signll  x  s  get.IIC.sigAlgid  (getEH.IIC.info  x) 
getEI.msg .Encrypt  edIIC 

I-  !x.  getEH.msg.EncryptedllC  x  t  get.lIC.mic  (getEH.IIC.info  x) 
get EI.msg.KeyEn crypt ID 

I-  !x.  getEH.msg.KeyEncxyptH  x  t  get.KET.Algid  (getEH.KEY.info  x) 
getEI.msg.Encrypt edKey 

I-  :x.  getEI.msg.Encrypt  edKey  x  t  get.KEY.AsymsgKey  (getEH.KEY.info  x> 

getEH.msg.IEK 

I-  :x. 

getEH.msg.IEK  x  s 

DEK. encrypt. 3 elect  (getEH.KEY.info  x)  (getEI.msg.EncryptedKey  x> 
recipienthey 
getEH.msg.mess Age 

I-  !x. 

getEH.msg.mess  Age  x  s 

msg.Encrypt. select  (getEI.DEK.info  x)  (getEH.IessAge.info  x) 
(getEH.msg.IEK  x) 

(getEI.msg. IsgEncryptlV  x) 
getEI.msg. lie 
I-  !x. 

getEH.msg.IIC  x  s 

msg.Encrypt. select  (getEI.DEK.info  x)  (getEH.msg.EncryptedllC  x) 
(getEH.msg.IEK  x) 

(getEI.msg.IsgEncxyptlV  x) 

EICRYPTED.is.PrivAteP 
I-  !msg  txIEK. 

EICRYPTED.is.PrivAteP  msg  txIEK  ; 

is.PrivAteP  (DEK. encrypt. select  (getEH.KEY.info  msg»  txIEK 
(getEI.msg.EncryptedKey  msg) 
recipientXey 
EHCRYPTED.is.PrivAteS 
I-  !msg  messAge. 

EHCRYPTED.is.PrivAteS  msg  mess  Age  t 
(let  rxIEK  t  getEH.msg.DEK  msg 
And 

decryptIV  s  getEH.msg.IsgEncryptIV  msg 
in 

is.PrivAteS  (msg.Encrypt. select  (getEI.DEK.info  msg))  messAge 
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(getEF.Iessiga.info  msg) 

decrypt  IV 

rxDEI) 

EICBVTTED.is.AuthaiiticS 
I-  iiiisg. 

EICEVPTEII.is.Authentic2  mag  c 
<let  miclnlo  :  getEI.IIC.info  nsg 
in 

let  ekey  t  get.Eoy.ixom. Ill  (getEl.nxiginttoxAaymlD.inio  msg) 
in 

is.Anthentici  (IlC.sign.select  miclnlo)  <IIC.h».3h. select  miclnlo) 
<getEI.m3g.messige  msg) 

(gotEI.msg.IIC  msg) 
ekey) 

EICHVITEI) .  is  .  Int  let 
I-  imsg. 

EICRYPTED.is.Intict  msg  s 
<lat  miclnlo  ;  getEI.IIC.inlo  msg 
in 

let  ekay  t  get.Eey.lxom.HI  (getEI.OxiginitoxAsymlD.inlo  msg) 
in 

is.Intict  <IIC. sign. select  miclnlo)  <IIC.hi.sh. select  miclnlo) 
(getEI.msg.mess ige  msg) 

(getEI.msg.IIC  msg) 
ekey) 

EFCRYETEB.is.non.deniible 
I-  imsg. 

EFCRVFTEB.is.non.deniible  msg  t 
<let  miclnlo  s  getEF.HIC.inlo  msg 
in 

lot  ekey  :  get.Eey.lxom.II  (getEF.OxiginitoxAsymlD.inlo  msg) 
ind 

liish  s  lie. hish. select  miclnlo 
in 

is.non.deniible  <EIC. sign. select  miclnlo) 

<hj.3li  (gotEF.msg.messigo  msg)) 

<gotEF.msg.FIC  msg) 
ekey) 


Tlieoxems : 

EFCRVPTEII .  is  .PxiYit  e.BEE 
I-  iEncxypted.msg  onexyptP  lEK  dEEVO  dkey. 

let  Eey.inlo  5  getEF.KEY.inlo  Encrypted. msg 
in 

lot  deexyptP  s  DEE. encrypt. select  Eey.inlo 
md 

xxmsg  s  gotEF.msg.EncxyptedEoy  Encxyptod.msg 
uid 

dkey  :  recipiontkey 
in 

<xxm3g  ;  txmsg)  sc) 

<txmsg  t  onexyptP  DEE  ekey)  sc) 

<!msg.  deexyptP  (onexyptP  msg  ekey)  dEEVO  t  msg)  st) 

<!msg  do. 

(deexyptP  (enexyptP  msg  ekey)  dO  c  msg)  sc)  (do  t  dEEVO))  ::) 
((dkey  s  dEEVO)  s  EFCBVPTO.is.PxivitoP  Encrypted. msg  DEE) 
EFCRVPTED.is.PxiYite.msg 
I-  iEncxypted.msg  encrypts  mossige  DEE. 

let  DEE.inlo  s  getEF.DEE.inlo  Encxyptod.msg 
in 

lot  decrypts  t  msg.Encxypt. select  DEE.inlo 
and 

xxmsg  t  gotEF.Iessige. inlo  Encxyptod.msg 
and 
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decxyptlV  :  gatEH.msg.IsglncryptlV  Enciypted.msg 
uid 

lEYO  :  DEE 
uid 

key  S  getEH.msg.IlEE  Enciypted.mag 
ilk 

(xxnag  s  tMaag)  as> 

(twiag  :  encrypts  meaatge  EEYO  decxyptIV)  tt> 

Cmag  key. 

<decryptS  (encrypts  mag  key  decryptIV)  key  decryptlV  t  mag)  /\ 
(Imag  keyl. 

(decrypts  mag  keyl  decryptIV  a  decrypts  mag  key  decryptIV)  : 
key  a 

keyl))  aa> 

((key  a  EEYO)  a  EICEYPTEI).ia.PrlYa.teS  Encrypted. mag  meaaige) 
EHCHYPTEII.ia.Autlientic.mag 
I-  SEncrypted.mag  aign  txmic  dlEYO  dkey. 

let  mlclnfo  a  getEI.IIC.inlo  Encrypted.mag 
in 

let  veriiy  a  HIC.aign.aelect  micinlo 
ind 

hiali  a  IIC.ha.ah.aelect  micinio 
uid 

meaaigo  a  getEH.mag.meaatge  Encrypted.mag 
uid 

rxmic  a  getEI.mag.IIC  Encrypted.mag 
uid 

ekey  a  get.Key.irom.II)  (getEir.Origina.torABymID.inlo  Encrypted.mag) 
in 

(xrmic  a  txmic)  aa) 

(txmic  a  aign  (htali  meaaa-ge)  dkey)  aa> 

(!ml  mS  dkeyS.  verily  ml  (aign  m2  dkey2)  ekey  a  dkey2  a  dEEYO)  at) 
((dkey  a  dlEYO)  a  EBCRYPTED.ia.Autbenticl  Encrypted.mag) 

EICRYPTED . ia . Int let .mag 

I-  lEncrypted.mag  aign  txmeaaige  txmic  dkey. 

let  micinlo  a  getEH.IIC.inlo  Encrypted.mag 
in 

let  verily  a  IlC.aign.aelect  micinlo 
ind 

hiah  a  llC.hiah.aelect  micinlo 
ind 

rxmeaaige  a  getEH.mBg.moaaige  Encrypted.mag 
uid 

rxmic  a  getEI.mag.IIC  Encrypted.mag 
ind 

ekey  a  get.Eey.lrom.II  (getEH.DriginitorAaymlD.inlo  Encrypted.mag) 
in 

(txmic  a  aign  (hiali  txmeaaige)  dkey)  aa) 

(rxmic  a  txmic)  at) 

(!ml  m2,  (hiah  ml  t  hiah  m2)  at)  (ml  a  m2))  at) 

(■al  32.  verily  al  (aign  32  dkey)  ekey  t  al  a  32)  at) 

((rxmeaaige  t  txmeaaige)  a  EICRYPTED. ia.Int let  Encrypted.mag) 
EICRYPTED.ia.non.deniible.mag 

|-  lEncrypted.mag  aign  lESSAOEO  txmic  dlEYO  dkey. 
let  micinlo  a  getEI.HIC.inlo  Encrypted.mag 
in 

let  verily  a  IlC.aign.aelect  micinlo 
ind 

liiali  a  lic.hiah.aelect  micinlo 
ind 

meaaige  a  getEI.mag.moaaige  Encrypted.mag 
uid 

rxmic  a  getEI.mag.IIC  Encrypted.mag 
ind 
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■  get.Rey.irom.ID  (getEF.DrigiiLa.torA3ynID.inf0  Encrypted. msg) 
in 

(rxrnic  t  txmic)  ::> 

(txrnic  :  sign  (hash  IESSA5E0)  dkey)  5t> 

(ini  ni.  (hash  nl  :  hash  ni>  t  nl  :  ni>  ::> 

(ini  nl  dheyl. 

Yerify  nl  (sign  nl  dkeyl)  ekey  :  (ml  t  nl)  l\  (dkoyl  :  dKEYO)) 
((dkey  :  dlEYO)  l\  (nessage  t  lESSADEO)  t 
EFCRYPTED. is. non. deniable  Encrypt ed.nsg) 


E.2  pem_encrypted.sml 


(xssstt:;:;;::: 
(*  File: 

pea.  enciypt  ed .  sml 

»> 

DQscription: 

selectox  ind  security  function  fox 

») 

EHCHYPTHD  aessa.ge 

(*  Date: 

Aug.  10,  1996 

>¥'> 

(*  Author: 

D^n  Zhou 

*) 

nex.theory  "pen.  encrypt  ed‘'j 

load.librarydib  s  hol88.1ib,  theory  s 
open  Psyntax  Compat; 

ner. parent  "pen.syntax"; 
ner.parent  "pem.definitions"; 

add.theory.to.snl  "pen.syntax"; 
add. theory. to.  snl  '  pen.definitions''; 

(*t  t  5  t  t  C  t  S  SHt) 

(*  abbreviated  PEI  lessage  type  *) 
val  encryptedmsg  s  ty.antiq 

(tt  ‘  :(preebfproctypetcontentdomainfdeltinfo#id.  asynnetric 
t(  cert  if  icat  e  list  )tIIC  .  infot(  id.  asymmetrictKey.inf  o)  list 
tstringtpost  eb) ‘ : s ) ; 

(>*  pent  ext  *) 


(*=  t  ;  :  ;  ;  t  ; 

Yal  EFCRYPTED.  ex  ample  t  ner.def  inition 

("EFCRYPTED. example",  —‘EFCRYPTED. example  si  si  33  34  38  s6: 
(BECIF  'TRIVACY.EFKAFCED  lAIL", 

Proc.Type  (4, EFCRYPTED) , 

Content .Dona in  RFCSll, 

DEE. Info  (DES.CBC,(IV:IV)), 

ID. Asymmetric  (sl:string), 

[Certificate  (sl:string)i, 

lie. Info  (RSA.ID5,RSA,(s3:3tring)), 

(*  asymsignnic  *) 

[(ID.Asymmetric  (34:string),  Key.Info  (ESA,  (sSLString)))] , 

(*  asymsgEey  *) 

(3 6: string), 

(*  pent  ext  *) 

EFD  "PRIVACY.EFHAFCED  IAIL”)‘— ); 


(*t  t  :  :  :  ::  s  ;  :*) 

(*  retrieve  rar  fields  from  received  PEI-Encrypted-Iessage  *) 
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(*  without  iny  opention 

iBSis^e  Encryption  Aliogitlin,  ind  IV 
YJ.1  getEI.DEI.inlo  t  nsir.def inition  ("getEI.IEE.inlo", 
<--‘getEl!.IEE.info  <x:“0nciyptedmsg) 

:  FSKsmXSHDOm 

<*  sendsT  H),  this  field  cm  replice  the  sender’s  certificite 
YJ.1  getEH.DriginitorAsymlD.info  -  nex. definition 
<' 'getEI.  Dr  igin  itorAsymll .  inf  o" , 

--‘getEH.Driginj.torAsymII.info  (x: " encrypt edmsg) 

:  FST<SHI(SHD<SHIIi;SHI  x))))‘--); 

<*  CA  certificj.te 

YJ.1  getEI.IssnerCert.info  s  nex.def inition 
("getEH  .  Is  suer  C  ert .  inf  o' ' , 

- - ‘ getEH. Is  suer C  ert . inf o  (x : " encrypt  edmsg) 

!  FSI(:SII(SED<SHD<SHD(SHI  x)))))‘--)i 

<*  Iessj.ge  Digest  Algorithm,  Iessj.ge  Digest  Sign  Algorithm, 

<1*  ^encrypted*  IIC 

YJ.1  getEH.IIC.inlo  :  nex.def inition  ("getEH.IIC.info", 
<-‘getEH.IIC.info  <x:'encryptodmsg) 
s  rST<SHD<SHD<SDD<SHD<SHD<SHD  — 

<>*  recipient  ID.  For  recipient’s  certificjte 
<*  this  Fill  not  be  used  until  Ijter 

YJI  getEH.Becipients.info  5  nex.def inition  ("getEH.Eecipients 
--‘getEH.Kecipients.info  <x:" encrypt edmsg) 
s  FST<SHD<SHD<SHD<SHD<SHD<SHD<SHD  x))))))) ‘ ! 

<*  Recipient  ID:  this  is  used  to  get  the  public/priYJte  key 
<*  of  recipient 

<* .  this  is  not  used  right  nos . - 

<>*  Fe  just  jssume  recipient  publickey  md  priYjte  key  is 
<>+:  jYjilJble 


<*  Recipient  Sey-info:  per-messjge  key  encryption  Algorithm 
<>»  jnd  Encrypted  per-messjge  key 
<*  this  Fill  be  used  temporjrily  *) 

Yjl  getEH.EEV.info  t  neF.def inition  <"getEH.EEY.info", 
<--‘getEH.KEV.info  <x:" encrypt edmsg) 

s  SHD<HD  <FST<SHD<SDD<SHD<SHD<SHD<SHD<SHD  x)))))))))‘ 


<*  the  encrypted  messjge 

Yjl  getEH.lB3sjge.info  :  neF.def  inition  O'getEH.Iess  Jge.info" 
- - ‘ getEH.Ies  s Jge. info  <x: " encrypt  edmsg) 

:  FST<SHD<SDI<SHD<SHD<SHD<SHD<SHD<SHD  x))))))) )  ‘ - -)  : 


<*  retriBYe  ejch  indiYidujl  sub-field  from  rjF  messjge  field 

<*  less Jge  encryption  Algorithm 
YJl  getEH.msg.IsgEncryptID  t  neF.def inition 
<"getEH  .ms  g.IsgEn crypt  ID" , 

--‘getEH.msg.IsgEncryptID  <x: "encrypt edmsg) 

:  get.DEE.Jlgid  <getEH.DEE.info  x)‘— ); 

<*  lessjge  encryption  lY 

Yjl  getEH.msg.IsgEncryptIV  :  neF.def inition 
<■  'getEH.msg.IsgEncryptIV ', 
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--‘getElT.nsg.lsgEncryptlV  <x:“encrypt:0dmsg) 
:  gQt.BM.IV  <g0tM.m.in±o 


<*  Hish  JUgoiitlm 

Yil  g0tM.msg.Hi3liIII  c  n0x.d0finition  <"g0liElI.m3g.Hi3liII)'', 
--‘g0tEir.m3g.Hj.3hni  <x:“0ncrypt0dm3g) 

t  g0t.IIC.Jlgid  (g0tEI.IIC.3jifo  x)‘--)j 

<*  Sign  Algorithm  fox  m033jg0  dig03t 

vjl  g0tE]r.m3g.SignII)  ;  n0x.d0f inition  <"g0tEE.m5g.SignID", 
-  -  ‘  g0tES.m3g.  S  ignB  (x : "  0ncxypt  odmsg) 

5  g0t.IIC.3igjlgid  <g0tES.HIC.inio  x)‘— 

(.>*  Encrypt  0d  IIC 

Yjl  g0tES.m3g.Encrypt0dIIC  :  nor.doiinition 
('  'g0t  EH.m3g.En  crypt  0dIlC' 

-- ‘g0tEH.m3g.Encrypt0dIIC  (x: "0ncrypt 0dm3gl 
s  g0t.IIC.mic  <g0tEH.IIC.iiufo  x)'--); 


>  -  -  *  •  ,  5  ;  - 

<*  m033jg0  lc0y  oncryption  Algorithm 

Yjl  ghtEH.msg.KoyEncryptID  s  nox.doflnition  C'gotEH.msg.KoyEncxyptll) 
-- ‘g0tEH.msg.E 0yEncrypt H  (x: *0ncrypt odmsg) 

5  g0t.SEY.Jlgid  <g0tEH.KEY.inio  xV— )i 

<>«  Encrypt  0d  lostjgo  E0y 

YJl  g0tEH.m3g.Encxypt0dE0y  t  nox.dofinition  ("gotEH.mtg.EncryptodEoy 
- - ‘g0tEH.m3g. Encrypt 0dE  0y  <x: " oncrypt  0dm3g> 

5  g0t.EEY.jsym3gl0y  <g0tEI.IEY.inio  x)‘--)i 


<*  0xtrjct  DEE/originil  mostjgo/HIC  irom  th0  r0C0iY0d  m033ig0  hc) 
Yjl  g0tEH.m3g.DEK  t  n0x.d0finition  <"g0tEH.m3g.DEK", 
--‘g0tEH.m3g.DEK  <x:"0ncrypt0dm3g) 
t  <DEK.0ncrypt.30l0ct  <g0tEH.KEY.info  x)) 
<g0tEH.m3g.Encrypt0dK0y  x)  r0cipi0nth0y‘--): 

Yjl  g0tEH.m3g.m03 3 jg0  5  n0Y.d0f inition  <"g0tEH.m3g.m03 3 jg0", 
--‘g0tEH.m3g.m033jg0  <x:“ 0ncrypt 0dm3gl 
S  <m3g.Encxypt.30l0ct  <g0tEH.DEK.info  x)) 
<g0tEH.H033jg0.info  x)  <g0tEH.m3g.DEK  x) 
<g0tEH.m3g.l3gEnctyptIV  x)‘--); 

<*  notic0  h0r0  th0  IV  i3  th0  3jm0  js  m033jg0  nncryptiong  IV  >*) 
<*  thi3  i3  my  j33nmption 

YJl  g0tEH.m3g.HIC  t  n0Y.d0finition  <"g0tEH.m3g.IIC", 

-- ‘g0tEH.m3g.IIC  <x: ■0ncrypt 0dm3gl 
t  <m3g.Encxypt.30l0ct  <g0tEH.DEK.info  xll 
<g0tEH.m3g.Encrypt0dIIC  xl 

<g0tEH.m3g.DEK  x)  <g0tEH.m3g.l3gEncxyptIV  x)‘--): 


<*  D0fin0  30cnrity  fnnction3  for  PEI-Encrypt0d-l0S3Jg0 
<*  by  thi3,  T0  t03t  th0  DEK  i3  pxiYJto. 

YJl  EHCRYPTED.i3.PriYJt0P  c  n0Y.d0f inition  <'EHCBYPTED.i3.PriYJt0P", 
--‘EHCRYPYED.i3.PriYJt0P  <m3g:  "0ncrypt0dm3g)  <txDEK:3tring) 
:  i3.PriYjt0P  <DEK.0ncrypt.30l0ct  <g0tEH.KEY.info  msgl) 
txDEK  <g0tEH.m3g.Encrypt0dK0y  m3g)  r0cipi0ntk0y‘--); 
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<*  by  this,  1(0  tesx  tho  msg  is  privito. 

Yil  EirCRyPTEI).i3.PrlYS.t0S  s  nox.dolinition  O'EJICR'JPTlB.ls.PiiYs.toS'', 

--‘EHCRYPTED.is.PiiYitoS  (msg:  "onciyptodmsg)  (mossigo: stiing) 

:  lot  rxIEE  =  gotEI.nsg.DEE  msg 

uid 

dociyptlV  s  gotEI.msg.IsgEnctyptIV  msg 

in 

(is.PiiYitoS  (msg.Encrypt.soloct  <gotEI.BES.indo  msg)) 
mossigo  <g0tEI.Iossigo.indo  msg)  docryptIV  rxBEE)‘— )! 


<*  tost  for  mossige  luthonticition,  no  nood  to  uso  tho  othoi  *) 

<*  form  _ 

Y4.1  EICRYPPEB.is.Authonticl  t  noY.dof inltion  < 

■  EECRYPTEI  .is.  Authont  id' 

--‘EICRyPTEB.is.Authontid  <msg:  " encrypt odmsg) 
s<lot  micinlo  s  gotEI.IIC.inlo  msg  in 

(lot  ekey  t  get .Soy. from. ID  (getEE.DriginitorAsymlD.inf o  msg) 
in 

(is.Authontid  (IlC.sign.soloct  micinfo) 

(lie .hish. select  micinfo)  (gotEB.msg.messigo  msg) 
<gotEI.msg.IIC  msg)  okoy)))'--)! 

<#  by  this,  YO  tost  tho  mossigo  thit  Driginitor  sent  is  intict  >*) 

Yil  EICRyPTED.is.Intict  «  noY.dof init ion  ("EHCRyPTEr.is.Intict’', 
(--‘EICRyPIED.is.Intict  <msg:  " encrypt edmsg) 
i  (l0t  micinlo  5  getEI.IIC.inlo  msg  in 

(let  okey  s  got.Soy.from.ID  (getEI.DriginitorAsymlB.inf o  msg) 
in 

(is.Intict  (IlC.sign.soloct  micinfo) 

(lie .hish. select  micinfo)  (g0tES.msg.moss1.ge  msg) 
(gotES.msg.HIC  msg)  okoy)))‘ --)); 


tQSt  lor  messi-g®  non”d9iii4.bility 
Yil  EHCRfPTED.is.non.deniiblo  s  noY.dof inition  ( 

'  'ESCR'IPTEII .  is.non.doniiblo' 

--‘EICRYPIED.is.non.deniiblo  (msg:  "encrypt edmsg) 
s  (let  micinfo  s  gotES.IIC.info  msg  in 

(lot  okey  s  get.Sey.from.ID  (getEI.DriginitorAsymlD.inf o  msg) 
ind 

hish  5  lie .hish. select  micinfo 
in 

(is.non.doniiblo  (IlC.sign.soloct  micinfo) 

(hish  (gotEI.msg.mossigo  msg)) 

(getEI.msg.IIC  msg)  okey)))‘--); 

close.theoryO: 
export. theoryO ; 


(*  proYo  properties  of  Encrypted  PEI  mossigo 

fun  let.ELU.CDIY  t  s 

TOY.CDSV  (let.CDHV  THESC  lot.ELU.COIV)  t; 


(>«  1.  EICRfPTEB.is.PriYite.DEE 

(*  recipientkey:  tho  priYite  key  of  recipient 

<*  okey:  public  key  of  the  intended  recipient 


107 


PEM.ENCRYPTED 


dKEYO:  privitG  key  oi  the  intended  recipient  Ht) 


Yll  thl  c  let.ELIH.CnEV 

<--‘let  Key. info  5  getEE.EEY.info  Encrypt ed.nsg  in 

let  docryptP  t  DEE. encrypt. select  Key.info 

a.nd 

rxmsg  :  getEF.msg.EncryptedEey  Encrypt ed.nsg 
and 

dkey  :  recipientkey 
in 

<mi3g  c  txmsg)  si| 

<tMi3g  :  encryptP  DEE  <ekey: string))  tt» 

<!nsg.  docryptP  (encryptP  msg  okey)  dEEYO  s  msg)  5s> 
(!msg  d2.  (docryptP  (encryptP  msg  ekey)  d2  c  msg) 

::l  (d2  s  dEEYO))  s:) 

((dkey  :  dEEYO)  s  EICEYPTED.  is  .Private 
Encryptod.msg  (DEEistring))*--); 


(»  ---  is  there  a  need  to  have  dkeysrecipient  ---  *) 

val  EECRYPTED. is. Private. DEE  t  prove. thm 
(■  ■EICEYPTED.  is  .Privat  e.DEE", 

! (Encryptod.msg:  " encrypt edmsg) 

(encryptP:  string-)string-)stxing) 

(DEE:  string)  (dEEYO:  string)  (dkey:  string), 
let  Eey.info  s  getEE.EEY.info  Encryptod.msg  in 
let  docryptP  s  DEE. encrypt. select  Eey.info 
and 

rxmsg  s  gotEI.msg.EncryptedEey  Encrypted. msg 
and 

dkey  5  recipientkey 
in 

(rxmsg  c  txmsg)  ;s> 

(txmsg  ;  encryptP  DEE  ekey)  ss) 

(imsg.  docryptP  (encryptP  msg  ekey)  dEEYO  ;  msg) 

Cmsg  d2.  (docryptP  (encryptP  msg  ekey)  dJ  c  msg) 

55)  (dJ  5  dEEYO))  55) 

((dkey  5  dEEYO) 

5  EICEYPTED. is. Privat eP  Encrypted. msg  DEE)'--, 
REPEAT  DEI.TAC  THEI 
EEiiEITE.TAC  [thl]  THEI 
REirRITE.TAC  [EICEYPTED. is. PrivateP]  THEI 
ACCEPT.TAC  (SPECL 

[--‘DEE. encrypt. select  (getEI.EEY.info  Encryptod.msg)'--, 
--‘encryptP:  string  -)  string  -)  string'--, 

--‘DEE:  string'--, 

--‘txmsg:  string'--, 

--‘getEI. msg. Encrypt edEey  Encrypted.msg'--, 

--‘ekey:  string'--, 

—  ‘dEEYO:  string'  —  , 

--‘recipientkey:  string'—]  is. Privat  e.DEE)); 


(He  2,  EICEYPTED. is. Private. msg 
val  thl  5  let.ELII.CDIV  ( 

--'let  DEE. info  5  getEI.DEE . inf o  Encrypted.msg  in 

let  decrypts  5  msg.Encrypt. select  DEE. info 

and 

rxmsg  5  gotEI.Ies sage. info  Encrypted.msg 
and 

decryptlV  5  getEI. msg. IsgEncryptlV  Encrypted.msg 
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a.nd 

KEYO  :  DEK 
^nd 

key  t  getEH-msg.DEK  Enciypted.msg 
in 

(rxmsg  i  txmsg)  5s> 

(txmsg  -  encrypts  messige  KEYO  decryptIV) 

Cmsg  kaj’.  (decrypts  (encrypts  nsg  key  decryptlV) 
key  decrypt lY  t  mag)  l\ 
imsg  keyl.  ((decrypts  msg  keyl  decryptlV  t 

decrypts  msg  key  decryptlV)  t  key  s  keyl))  tt> 

((key  t  KEVO) 

:  EICRYPTED.is.PriviteS  Encrypted.msg  message)*--): 

YJ.1  till  5  lat.ELII.CDHV  ( 

--‘let  rxBEE  :  getEF.msg.DEE  msg 
9.nd 

decryptlV  t  getEI.msg.IsgEncryptIV  msg 
in 

is.PriYiteS  (msg.Encrypt. select  (getEH.IEJ.inf o  msg))  messige 
(getEI.Ie3sa.ge.inlo  msg) 
decryptlV 
rrlEE ‘ - - ) s 

Ytl  thS  t  REliKnE.EVLE  [thl]  EICRV?TEl).i5.PriYa.teS; 

Yil  ESCRVPTED.is.PriYite.msg  t  proYe.thm 
('  'EICRVPTED .  is  .Frivat  e.msg' 

--‘[(Encrypted.msg:  'encrypt edmsg) 

( encrypt  S :  string- » string- ) IV- ) string) 

(message:  string)  (PEE:  string). 

let  lEK.inlo  s  getEF.DES.inlo  Encrypted.msg  in 

let  decrypts  t  msg.Encrypt. select  DER.inlo 

and 

rrmsg  t  getEF.Ies sage. info  Encrypted.msg 
and 

decryptlV  s  getEF.msg.IsgEncryptIV  Encrypted.msg 
and 

SEYO  t  DEE 
and 

key  :  getEF.msg.DEE  Encrypted.msg 
in 

(rxmsg  5  txmsg)  tt) 

(txmsg  s  encrypts  message  EEYO  decryptlV)  ts> 

Cmsg  key.  (decrypts  (encrypts  msg  key  decryptlV) 
key  decryptlV  t  msg)  l\ 
imsg  key),  ((decrypts  msg  keyl  decryptlV  t 

decrypts  msg  key  decryptlV)  -  key  s  keyl))  tt> 

((key  s  SEYO) 

3  EFCRYPTED.is.PriYateS  Encrypted.msg  message) 

REPEAT  6EF.TAC  TKEF 
REiiRITE.TAC  [thl]  THEF 
REiiRITE.TAC  [thS]  THEF 
ACCEPT.TAC  (SPECL 

[--‘msg.Encrypt. select  (getEF.DES.inlo  Encrypted. msg) 
--‘encrypts:  string  ->  string  -)  IV  -»  string‘--. 
--‘message:  string‘--, 

--‘txmsg:  string‘  — , 

-- ‘getEF.Ies sage. info  Encrypt ed.msg‘--, 

-- ‘getEF.msg.IsgEncryptIV  Encrypted.m5g‘ -- , 
--‘DEE:3tring‘--, 

--‘getEF.msg.DEE  Encrypted.msg‘ --3  is.PriYate.msg)); 


(*s 


SHc) 
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<*  3.  EICRYTTEI. is. Authentic. m3£  *) 

<*  dkey:  originitor’ s  privite  key  ») 

(x  dAEYO;  the  key  ol  the  one  ire  think  kho  sent  the  mtil  >«) 

<»  ekey:  the  public  key  ol  the  one  xho  xe  think  sent  the  miil 
<»  since  ekey  is  publicly  knoim.  —  Iiy  need  aoie  irork  —  *') 


YAl  thl  :  let.ELn.CDEV 

(--‘let  micinlo  :  getEI.IIC.info  Enciypted.msg  in 

let  veiily  :  IIC. sign. select  micinlo 

And 

hish  :  IIC.hAsh. select  micinlo 
uid 

mess  Age  s  getElT.msg.messAge  Encrypt  ed.msg 
And 

ixmic  s  getEE.msg.IIC  Encrypted.msg 
And 

ekey  :  get.Eey.lrom.IB 

(get El.  Origin AtorAsymlB  .  inlo  Encrypt  ed.msg) 
in 

(rxmic  s  txmic)  st3 

(txmic  «  (sign:string-)string->string)  (hASh  messAge)  dkey)  tt> 
(!ml  m3  dkeyl.  yerily  ml  (sign  n3  dkeyl)  ekey 
s  dkey3  s  dKEVO)  ss» 

((dkey  s  dEElO)  s 

EICRYPTED .is.Authent ic3  Encrypt  ed.msg) ‘ ; 

YAl  th3  s  let.ELU.CDSV 

(--‘let  micinlo  s  getEH.IIC.inlo  msg  in 

(let  ekey  s  get.Key.lrom.ID  (getES.DriginAtorAsymIB.inlo  msg) 
in 

(is. Authentic!  (ElC.sign.select  micinlo) 

(IIC.hAsh. select  micinlo)  (getEH.msg.messAge  msg) 

(getEE.msg.HIC  msg)  ekey))‘--); 

YAl  th3  :  REirRITE.RULE  [th3]  EHCRYPTED.is.AuthenticS ; 


YAl  EFCRITTEB. is. Authentic. msg  s  proYe.thm 
('  'EICRyPIED.  is  .Authent  ic.msg' 

--‘ ! (Encrypted.msg: “encrypt edmsg) 

(sign:  string  ->  string  -}  string)  (txmic: string) 

(dlEYO : string)  (dkey: string). 

let  micinlo  s  getEH.IIC.inlo  Encrypted.msg  in 

let  Yerily  s  ElC.sign.select  micinlo 

And 

hASh  :  lie. hAsh. select  micinlo 
And 

messAge  s  getEE.msg.messAge  Encrypted.msg 
And 

rxmic  s  getEE.msg.HIC  Encrypted.msg 
And 

ekey  s  get.Eey.lrom.ID 

(getEH.DriginAtorAsymID.inlo  Encrypted.msg) 
in 

(rxmic  s  txmic)  ssl 

(txmic  s  (sign:string->string-3string)  (hAsh  messAge)  dkey)  ss> 
(!m3  m3  dkey3.  Yerily  ml  (sign  m3  dkey!)  ekey 
s  dkey!  t  dlElO)  so 
((dkey  s  dKEYO)  s 

EHCRYPTED. is. Authentic!  EncTypted.msg)‘", 

REPEAT  SEH.TAC  THEH 
REiiRITE.TAC  [thl]  THEH 
REiiRITE.TAC  [th3]  THEH 
ACCEPT.TAC  (SPECL 
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[--‘KIC.sign.selsct  CgetEI.IIC.lnio  Encrypted.msgV  —  , 
--‘sign:  string  -)  string  -i  string*--, 

— ‘IlC.hish.select  <g9tEH.IIC.in±o  Encrypt sd.msg)*  —  , 

- - ‘getEI.msg.ness igs  Encrypt  sd.msg*  — , 

--‘tmic:  string*--, 

--*getEI.msg.IIC  Encrypted.msg*  — , 

--*get,E0y.from.IE 

<g0tEI.DriginitoTAsymID.inio  Encrypt sd.msg)*--, 
--*dEEYO:  string*--, 

--*<lkoy:  string*--]  is.Authontic.msg)); 


<*5  5  :  t 

<*  i.  EICRYPTED.is.IntJ.ct.msg 


Yil  thl  s  lot.ELU.CDHY  <--*lot  micinio  t  gotEB.IIC.inio  Encryptod.msg 
in 

lot  voriiy  t  IlC.sign.soloct  micinio 
end 

hish  t  ElC.hish.soloct  micinio 
And 

rxmessAgo  *  gotEH.msg.mosstgo  Encrypted.msg 
And 

tjcmic  «  getEI.msg.IIC  Encrypted.msg 
And 

olcoy  t  got.Iey.irom.ID  <gotEI.DriginAtorAsymID.inlo  msg) 

<txmic  s  <3ign:string->string->string)  <hAsh  txmesSAgo)  dkey)  **> 
<rxmic  s  txmic) 

<lml  mi.  <hA3h  ml  *  liAsh  m2)  tt>  <ml  t  m2))  tt) 

<!3l  s2.  Yoriiy  si  <sign  s2  dkoy)  ekey  s  si  s  s2) 

<<rxme33Age  t  txmossAgo)  t  EICEYPTED.is.IntACt  Encrypted.msg)*--): 


YAl  th2  s  let.ELU.CDIV  <--*lot  micinio  t  getEI.IIC.inlo  msg 
in 

lot  ekey  s  got.Eey.irom.ID  <gotEI.OxiginAtoTAsymID.inio  msg) 

is.IntACt  <IIC. sign. select  micinio)  <IIC.liA5h.solect  micinio) 
<gotEI.msg.me3SAgo  msg) 

<getEII.m3g.IIC  msg)  ekey*— ): 

YAl  th3  s  REiram.EDLE  [th2]  ESCKYPTED. is.IntACt; 


YAl  EICRYPTED.  is.IntACt  .msg  t  proYO.thm  CESCRYrTED.is.IntACt.ms^', 
--* :<Encryptod.m3g:  " encrypt edmsg) 

<3ign:  string-»string->stxing) 

<txme3SAge:  string)  <txmic: string)  <dkey:  string), 
lot  micinio  :  getEI.IIC.inlo  Encrypted.msg  in 
let  Yorily  :  IlC.sign.soloct  micinio 
And 

hAsh  5  IIC.hAsh. select  micinio 
And 

rxmessAge  s  getEE.msg.messAgo  Encrypted.msg 
And 

rxmic  s  getEI.msg.IIC  Encrypted.msg 
And 

ekey  s  get.Eey.lrom.ID 

<gotEI.DriginAtorAsymID.inlo  Encrypted.msg) 
in 

<txmic  :  sign  <hA3h  txmessAge)  dkoy)  tt» 

<rxmic  t  txmic)  ts) 

<!ml  m2.  <hASh  ml  =  RasR  m2)  t:>  <nl  t  m2))  tt> 

Csl  s2.  Yoriiy  si  <sign  s2  dkoy)  ekey  s  si  t  s2) 
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((xxm0ssig0  t  txmossigo)  t  EFCRYP7ED.i5.Inti.ct  Encryptod.msc)*--, 
REPEAT  GEI.TAC  TKEI 
REiiRITE.TAC  Cthl]  THEF 
REmRITE.TAC  CthS]  THEF 
ACCEPT.TAC  <SPECL 

C--‘IIC,sign.S0l0ct  <g0tEF,IIC.inlo  <Encxypt0d.msg:''Gncrypt0dasg))‘ 
--‘3ign:3triiig-)3txing->5tiing‘--, 

--*IIC.hi.3li.3  0l0Ct  <g0tEF.IIC.inio  (Encryptod. iii5gt''0n crypt ©dmsg)) 
--‘txm03  3a.g0:3tiing‘--, 

“-‘g0tEF.m3g.iii03  3ig0  <Encrypt©d.m3g:"oncrypt0dm5g)‘*-, 

--‘txmic:  3tiing‘--, 

--‘g0tEF.msg.IIC  (Encrypt Gd.msg: ^ ©nciypt«lm3g) , 

-- ‘got. K0y. from.  ID 

<g0tEF.DriginitorA3ymID.info  (Encrypt ©d.msg: "on crypt odmsg)) ‘ , 

-- ‘dkoy: string‘ 
is.Intict.msg)); 


(^-  *  •  •  t  t  t  t 

(>t!  5.  EFCRYPTED.is.non.doniiblo.msg  >♦:) 

vil  thl  5  let.ELII.COFV  ( 

--‘let  micinfo  t  g0tEF.IIC.info  Encryptod.msg  in 

lot  verify  t  IIC. sign. select  micinfo 

ind 

hish  t  IlC.hish.select  micinfo 
uid 

messige  s  getEF.msg.messige  Encryptod.msg 
ind 

rxmic  i  g0tEF.msg.IIC  Encryptod.msg 
ind 

0key  5  got.Eoy.from.ID 

(gotEF.OxiginitorAsymlD.info  Encrypt ©d.msg) 
in 

(rxmic  :  txmic)  tty 

(txmic  c  (sign:  string->string->string) 

(hish  lESSAGEO)  dkey)  tty 
(!mi  m2,  (hish  ml  t  hisR  m2)  t  ml  t  m2)  tty 
(!ml  m2  d):0y2.  verify  ml  (sign  m2  dX:0y2)  ©Key 
:  (ml  5  m2)  /\  (dX0y2  e  dKEYO))  tty 
((dkey  :  dJEYO)  t\  (messige  ;  lESSAGEO)  J 

EFCRYPTED.is.non.deniiblo  Encrypted. ms g) ‘ --) ; 

vil  th2  i  lot.ELH.CDFV  ( 

--‘let  micinfo  :  getEF.IIC.info  msg 
in 

lot  ©)coy  t  get.Koy.from.ID  (gotEF.DriginitorAsymlD.info  msg) 
uid 

hisR  t  lie. hisli. select  micinfo 
in 

is.non.doniiblo  (EIC. sign. select  micinfo) 

(hish  (getEF.msg.messige  msg))  (getEF.msg.IIC  msg)  ekoy'--); 

vil  th3  c  REiiRITE.RDLE  [th2]  EFCRYPTO.is.non.deniible; 

vil  EFCRYPTED.is.non.doniiblo.msg  t  prove.thn 
("EFCRYPTED.is.non.deniible.msg", 

--‘{(Encryptod.msg:  " encrypt ©dmsg) 

(sign:  string  ->  string  ->string)  HESSAGEO  txmic  dEEYO  dkey. 
lot  micinfo  t  getEF.IIC.info  Encryptod.msg  in 
let  verify  t  IIC. sign. select  micinfo 
ind 

hish  t  IIC, hish. select  micinfo 
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uii 

messige  i  gatEI.msg.mess ige  Encrypted. asg 
tnd 

rxmic  t  getEF.mag.IIC  Enciypted.mag 
and 

ekoy  :  get .Eey. Iron. ID 

(getEI.niiginj.torAsymID.info  Encrypt ed.msg) 
in 

(rxmic  t  txmic)  tt> 

(txmic  s  sign  (htsh  lESSAGEO)  dkey) 

Cml  m2,  (liish  ml  t  hish  m2)  t  ml  t  m2)  tt) 

Cml  m2  dlcey2.  verify  ml  (sign  m2  dkey2)  ekey 
:  (ml  5  m2)  /\  (dkey2  t  dIEfO))  tt» 

((dkey  5  dKEYO)  /\  (message  t  HESSA6E0)  t 

EICHYPTED,is.non.dania.ble  Encrypt  ed.msg)*--, 
REPEAT  OEI.TAC  THEH 
EEliRITE.TAC  [thl]  THEI 
REilBITE.TAC  [th3]  THEE 
ACCEPT.TAC  (3PECL 

[--‘lie. sign. select  (getEI.IIC.info  Encrypted.msg)*--, 
--‘sign:  string  ->  string  -»  string*--, 

--‘lie. hash. select  (getEH.Iie.inf o  Encrypted.msg)*--, 

-- ‘getEH.msg.mos  s  age  Encrypt  ed.msg*  — , 

--‘lESSAQEO:  string*--, 

--‘txmic:  string*--, 

- -  *  getEE.msg.IIC  Encrypt  ed.msg*--, 

--‘get.Eey.from.ID 

(getEH.DriginatorAsymlD.info  Encrypted.msg)*--, 
--‘dSEYO:  string*--, 

--*dkey:  string*--]  is.non.deniable.msg)); 
export. theoxyOj 
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